b'       Peace Corps\n       Office of Inspector General\n\n\n\n\n           Information Technology Governance\n\n\n\n\n            Final Audit Report:\n Peace Corps Office of the Chief Information\nOfficer Budget Formulation and Management\n\n\n                  January 2010\n\x0c            Final Audit Report:\n Peace Corps Office of the Chief Information\nOfficer Budget Formulation and Management\n                IG-10-05-A\n\n\n\n\n         ____________________________________\n                   Gerald P. Montoya\n          Assistant Inspector General for Audit\n\n\n\n\n                    January 2010\n\x0c                              EXECUTIVE SUMMARY\n BACKGROUND\n The Clinger-Cohen Act of 1996 and the Office of Management and Budget (OMB)\n Circular A-130 required agencies to establish an information technology (IT)\n investment process and defined the responsibilities of the agency Chief Information\n Officers. Peace Corps established a governance process to ensure that its IT strategy\n aligns with business strategy and to manage its investments in IT. IT governance is\n essential to the Office of the Chief Information Officer (OCIO) budget formulation\n because it establishes OCIO priorities and influences resource allocation.\n\n The Chief Information Officer (CIO) is responsible for providing advice and other\n assistance to the Peace Corps Director to ensure that IT is acquired and information\n resources are managed in accordance with federal regulations. In FY 2008, the CIO\n managed an office of 58 employees and 27 contractors and a budget of approximately\n $8,470,500 in operations and maintenance funds and approximately $9,157,200 in\n centrally managed funds.\n\n We reviewed the Peace Corps IT investment and OCIO budget processes to determine\n whether Peace Corps complied with federal requirements and ensured the most\n efficient and effective use of agency resources.\n\n IT GOVERNANCE PROCESS\n Peace Corps did not establish an effective IT governance process as required by the\n Clinger-Cohen Act of 1996 and OMB Circular A-130. Specifically, Peace Corps did\n not:\n      \xe2\x80\xa2 Develop an Information Resource Management strategy.\n      \xe2\x80\xa2 Maintain a current IT roadmap to guide future decisions.\n      \xe2\x80\xa2 Clearly define the criteria for prioritizing and selecting IT investments.\n      \xe2\x80\xa2 Have a standard method for monitoring and evaluating all project costs and\n         schedules.\n\n As a result Peace Corps:\n    \xe2\x80\xa2 Management lacked the necessary information to make informed IT planning\n        and budget decisions and did not fully understand the IT investment process.\n    \xe2\x80\xa2 Offices made short-term decisions that did not ensure the most efficient and\n        effective use of information resources. For example, the agency spent more\n        than $99,000 in funds and labor costs that could have been avoided for two\n        uncompleted IT projects.\n    \xe2\x80\xa2 Management did not adequately plan high priority initiatives and failed to\n        allocate sufficient resources to fulfill federal IT requirements.\n    \xe2\x80\xa2 Project managers frequently allowed IT projects to exceed budget estimates and\n        miss scheduled milestones.\n\n See finding A for more information.\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   i\n\x0c BUDGET MANAGEMENT\n The OCIO did not ensure its budget resources were sufficient and expended efficiently.\n Although controls were in place and operating effectively to ensure fund allocation and\n expenditures were necessary, justified, and properly approved, the OCIO\n inappropriately commingled its two fund accounts and relied heavily on additional\n agency funds to support routine business activities. The OCIO also did not adequately\n manage its contracts and oversee the agency\xe2\x80\x99s IT personnel.\n\n Because of poor budget management, the OCIO:\n     \xe2\x80\xa2   Risked that essential and required functions would not have adequate funding.\n     \xe2\x80\xa2   Did not maintain adequate oversight to ensure that its workforce completed\n         tasks timely and efficiently.\n     \xe2\x80\xa2   Paid $35,000 in unnecessary contract services and failed to properly track an\n         additional $149,000 in contract costs.\n     \xe2\x80\xa2   Did not properly manage $97,000 in lapsed salary costs.\n     \xe2\x80\xa2   Did not maintain oversight of all agency IT resources as required by the\n         Clinger-Cohen Act of 1996.\n\n In addition, the Office of the Chief Financial Officer (OCFO) did not provide Peace\n Corps offices with adequate guidance concerning the request of additional agency\n funds and failed to monitor the use of the additional funds. As a result, OCFO did not\n have sufficient administrative control of funds to ensure the most efficient use of\n agency resources and could not make fully informed decisions when providing\n additional resources to offices.\n\n See findings B and C for more information.\n\n RECOMMENDATIONS\n Peace Corps Office of the Chief Information Officer made improvements during FYs\n 2008 and 2009 by revising the investment review board process, reviewing its\n budgetary accounts, and reevaluating its contract mechanisms. However, the Peace\n Corps will continue to expend resources inefficiently until the agency establishes an\n overall information resource management strategy and IT plan. See the Agency\n Initiatives section for more information.\n\n Our report contains 23 recommendations, which, if implemented, should strengthen\n internal controls and correct the deficiencies in the Peace Corps OCIO budget\n formulation and execution processes. Among our recommendations, we address the\n need for an agency-wide information resource management strategy, criteria for\n investment review board decisions, a process that clearly defines responsibilities\n related to preparing and retaining project documentation, a consistent project\n evaluation method, and clearly defined and separated OCIO fund accounts.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    ii\n\x0c                                                     TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ................................................................................................. i\n\nINTRODUCTION .............................................................................................................. 1\n\nFINDING A. INFORMATION TECHNOLOGY PLANNING AND INVESTMENT\nCONTROL .......................................................................................................................... 3\nLONG-TERM IT PLANNING .............................................................................................................................. 4\nIT ROADMAP ................................................................................................................................................... 7\nPLANNING AND INVESTMENT CONTROL PROCESS ........................................................................................... 9\nPROJECT MANAGEMENT................................................................................................................................ 20\n\nFINDING B. OFFICE OF THE CHIEF INFORMATION OFFICER BUDGET\nFORMULATION ............................................................................................................. 24\nSEPARATION OF OCIO FUND ACCOUNTS ...................................................................................................... 25\nREQUEST FOR AGENCY RESOURCES .............................................................................................................. 26\n\nFINDING C. OFFICE OF THE CHIEF INFORMATION OFFICER BUDGET\nMANAGEMENT .............................................................................................................. 29\nCONTRACT MANAGEMENT ............................................................................................................................ 29\nOCIO PERSONNEL......................................................................................................................................... 32\nAGENCY IT PERSONNEL ................................................................................................................................ 33\n\nAGENCY INITIATIVES ................................................................................................. 36\n\nINTERNAL CONTROLS ................................................................................................ 37\n\nQUESTIONED COSTS AND FUNDS PUT TO BETTER USE .................................... 39\n\nLIST OF RECOMMENDATIONS .................................................................................. 40\n\nAPPENDIX A.: OBJECTIVES, SCOPE, AND METHODOLOGY\n\nAPPENDIX B: ACRONYMS AND GLOSSARY\n\nAPPENDIX C: CHIEF INFORMATION OFFICER RESPONSIBILITIES\n\nAPPENDIX D: MANAGEMENT\'S RESPONSE\n\nAPPENDIX E: OIG COMMENTS\n\nAPPENDIX F: AUDIT COMPLETION AND OIG CONTACT\n\x0c                                          INTRODUCTION\n\nGENERAL                          The Office of Inspector General conducted an audit of the\n                                 budget formulation and budget management of the OCIO\n                                 January 28, 2009 - June 12, 2009. We reviewed the agency\xe2\x80\x99s\n                                 IT investment and OCIO budget processes from fiscal years\n                                 (FYs) 2007, 2008, and 2009. We performed this audit in\n                                 accordance with generally accepted government auditing\n                                 standards.\n\nBACKGROUND                       The Clinger-Cohen Act of 1996 (CCA) and the Office of\n                                 Management and Budget (OMB) Circular A-130 required\n                                 agencies to establish an information technology (IT)\n                                 investment process and defined the responsibilities of agency\n                                 CIOs. The purpose of the Peace Corps OCIO is to ensure\n                                 prompt, efficient, and effective implementation of information\n                                 policies; compliance with federal IT regulations; and\n                                 management of IT resources for the Peace Corps. OCIO\n                                 responsibilities include:\n\n                                      \xe2\x80\xa2   Providing agency IT direction, standards, enterprise\n                                          architecture (EA), infrastructure, and IT strategy. 1\n                                      \xe2\x80\xa2   Developing agency approved technology solutions.\n                                      \xe2\x80\xa2   Evaluating new technologies and researching products.\n                                      \xe2\x80\xa2   Testing information technology.\n                                      \xe2\x80\xa2   Providing technical oversight of IT projects.\n                                      \xe2\x80\xa2   Providing technical guidance to agency offices.\n                                      \xe2\x80\xa2   Coordinating with agency offices to ensure IT success.\n\n                                 The OCIO uses its funds for the development and application\n                                 of IT products, training, and security of Peace Corps domestic\n                                 and international operations. The OCIO FY 2008 budget\n                                 included operations and maintenance funds of approximately\n                                 $8,470,500 and centrally managed funds of approximately\n                                 $9,157,200. In addition, agency offices use their funds for IT\n                                 projects.\n\n                                 Peace Corps has attempted to implement a successful IT\n                                 governance process since 2002 with mixed results. The IT\n                                 governance process involves aligning IT strategy with business\n                                 strategy, ensuring that IT projects stay on track to achieve their\n                                 strategies and goals, and measuring IT performance. IT\n                                 governance is an essential element of the OCIO budget\n\n1\n    See appendix C for a glossary of terms.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management           1\n\x0c                             formulation because it establishes OCIO priorities and\n                             influences resource allocation.\n\nOBJECTIVES                   The overall objective of this audit was to determine whether\n                             the OCIO, in conjunction with the OCFO, implemented\n                             effective budget formulation and budget execution procedures\n                             that resulted in the most efficient use of Peace Corps budgetary\n                             resources. Appendix A provides a description of the audit\n                             objectives, scope, and methodology.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     2\n\x0cFINDING A. INFORMATION TECHNOLOGY PLANNING AND\n           INVESTMENT CONTROL\n\nPeace Corps did not manage its information technology investments efficiently and\neffectively in accordance with OMB Circular A-130. Although Peace Corps made\nseveral attempts to define the IT investment process and continued to refine the\nprocedures, it had not developed a sustainable and mature solution. This occurred\nbecause:\n    \xe2\x80\xa2   The Peace Corps failed to develop adequate long-term IT planning necessary to\n        guide investment decisions.\n    \xe2\x80\xa2   The Peace Corps did not implement an adequate planning and investment control\n        process to select, prioritize, control, and evaluate information technology.\n    \xe2\x80\xa2   The OCIO did not clearly define and enforce its project management policies\n        necessary to ensure all required information was obtained and maintained for the\n        life of the IT investment.\n\nAs a result, Peace Corps expended time and resources on IT that was not cost effective,\nfailed to allocate sufficient resources to fulfill federal IT requirements, and did not\nadequately plan high priority initiatives. Further, Peace Corps IT projects were\nfrequently over budget and schedule. Additionally, the agency inappropriately spent\nmore than $99,000 in funds and labor on two uncompleted projects. These costs could\nhave been avoided with proper planning and documentation.\n\n\nIT INVESTMENT MANAGEMENT\nOver the last seven years Peace Corps has attempted to implement a governance process\nto manage its IT investments. However, the agency\xe2\x80\x99s IT process was not strategically\nfocused and many of the processes were not followed. The following provides a timeline\nof the major developments in the agency\xe2\x80\x99s governance processes.\n\n        2002 \xe2\x80\x93 Established the Office of IT Architecture, Standards, and Practices\n               in the OCIO to manage the agency\xe2\x80\x99s EA program.\n        2003 \xe2\x80\x93 Developed draft EA documents for four IT systems.\n        2003 \xe2\x80\x93 Implemented the Investment Review Board (IRB) consisting of senior\n               management that reviewed IT investments and recommended to the\n               Director which projects to fund.\n        2003 \xe2\x80\x93 Chartered the EA Advisory Board (EAAB) to ensure projects aligned with\n               the agency\xe2\x80\x99s EA.\n        2005 \xe2\x80\x93 Established a Project Management Office (PMO) to coordinate all IT\n               project requests, ensure no duplications of effort exists among offices, and\n               serve as the central repository for tracking all agency IT projects.\n        2005 \xe2\x80\x93 Drafted change management policies designed to mitigate risk, reduce\n               disruptions, and coordinate activities for all changes that impact any\n               shared computing system or service.\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   3\n\x0c        2006 \xe2\x80\x93 Updated the Systems Development Life Cycle (SDLC) Handbook that\n               defines the required documents and decisions applicable for each project\n               phase, from project concept to disposal.\n\nThe Government Accountability Office (GAO) defined five maturity stages of agency IT\ninvestment management, ranging from merely investment awareness to a strategic focus\nreliant on the EA to guide IT investments. See the chart below for a description of the\nfive stages. Higher maturity stages require long-term strategies to guide the agencies IT\ninvestments and clearly defined processes for controlling and managing the IT projects\nthroughout the lifecycle.\n\nThe Peace Corps IT governance process provided a framework for the IT investment\nprocess to achieve higher maturity stages. However, Peace Corps did not fully\nimplement the procedures. In addition, frequent staff turnover prevented the process\nfrom fully developing into efficient and effective IT governance. As a result, Peace\nCorps had not advanced into the higher maturity levels and remained focused on\nindividual projects instead of agency-wide strategy.\n\n\n\n\nSource: GAO-04-394G, \xe2\x80\x9cInformation Technology Investment Management: A Framework for Assessing\nand Improving Process Maturity,\xe2\x80\x9d March 2004\n\n\n\nLONG-TERM IT                   Peace Corps did not have an adequate Information\nPLANNING                       Resource Management (IRM) Strategic Plan or detailed EA\n                               roadmap to guide the agency IT initiatives. OMB Circular\n                               A-130 requires Peace Corps to \xe2\x80\x9cestablish and maintain\n                               capital planning and investment control process that links\n                               mission needs, information, and IT in an effective and\n                               efficient manner.\xe2\x80\x9d\n\n\n\nIRM STRATEGIC PLAN             Peace Corps\xe2\x80\x99 did not have an IRM strategic plan that fulfilled\n                               all the requirements of OMB Circular A-130. OMB requires\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management         4\n\x0c                               the use of IRM and IT planning documents to guide agency\n                               IT investments. OMB Circular A-130 states:\n\n                                       The IRM Strategic Plan is strategic in nature\n                                       and addresses all information resources\n                                       management of the agency. Agencies must\n                                       develop and maintain the agency Information\n                                       Resource Management Strategic Plan (IRM)\n                                       as required by 44 U.S.C. 3506 (b) (2). IRM\n                                       Strategic Plans should support the agency\n                                       Strategic Plan required in OMB Circular A-11,\n                                       provide a description of how information\n                                       resources management activities help\n                                       accomplish agency missions, and ensure that\n                                       IRM decisions are integrated with\n                                       organizational planning, budget, procurement,\n                                       financial management, human resources\n                                       management, and program decisions.\n\n                               In the report GAO-04-59, \xe2\x80\x9cGovernmentwide Strategic\n                               Planning, Performance Measurement, and Investment\n                               Management Can Be Further Improved,\xe2\x80\x9d GAO states,\n                               \xe2\x80\x9ceffective strategic is important to ensure that agencies\xe2\x80\x99 IT\n                               goals are aligned with the strategic goals of the agency.\xe2\x80\x9d The\n                               IRM strategic plan should provide an agency-wide vision for\n                               the long-term that offices use to help plan their future IT\n                               investments and the IRB uses to guide decisions for\n                               approving and prioritizing projects.\n\n                               Agency-wide IRM Strategy. Peace Corps did not have a\n                               defined process to involve all offices in the development of\n                               the IRM strategic plan. The OCIO had its office-specific\n                               annual budget strategic plan and an OCIO 3 year update\n                               presentation from November 2008 which discussed agency IT\n                               projects. However, these documents originated from the\n                               OCIO office and did not identify how IRM helps accomplish\n                               the agency mission and strategic goals of all Peace Corps\n                               offices.\n\n                               Although the OCIO is responsible for ensuring agency\n                               compliance with information policies and information\n                               resources management, it is the agency program officials that\n                               are responsible and accountable for information resources\n                               assigned to their programs. Title 44, U.S. Code 3506, states:\n\n                                       \xe2\x80\x9cIn consultation with the Chief Information Officer\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management      5\n\x0c                                       designated under paragraph and the agency Chief\n                                       Financial Officer (or comparable official), each\n                                       agency program official shall define program\n                                       information needs and develop strategies, systems,\n                                       and capabilities to meet those needs. With respect to\n                                       general information resources management, each\n                                       agency shall\xe2\x80\xa6develop and maintain a strategic\n                                       information resources management plan that shall\n                                       describe how information resources management\n                                       activities help accomplish agency missions\xe2\x80\xa6\xe2\x80\x9d\n\n                               It is important that each office contribute to the development\n                               of a formal IRM strategic plan to incorporate all elements of\n                               information resource management and how the agency uses\n                               those resources to achieve its goals. The IRM strategic plan\n                               must be an agency-wide document that guides IT planning\n                               and decision making. For example, according to 5 Foreign\n                               Affairs Manual 1020, \xe2\x80\x9cInformation Technology (IT) Strategic\n                               Plan,\xe2\x80\x9d the State Department\xe2\x80\x99s strategic plan includes\n                               department mission and strategic goals and an IT vision for\n                               the next five years. Further, the State Department\xe2\x80\x99s IT\n                               governance board approves their strategic plan and uses it as\n                               a guide to control the allocation of IT development funds.\n\n                               Peace Corps can ensure management is aware and concurs\n                               with the use of agency IRM resources to achieve its goals by\n                               including management in the development and approval of\n                               the IRM Strategic Plan.\n\n                               Long-Term Vision. The OCIO strategic plan did not fulfill\n                               the intent of an IRM strategic plan because it only covered\n                               the next three years. In contrast, the Peace Corps\xe2\x80\x99 agency-\n                               wide strategic plan identified goals and initiatives for five\n                               years. An IRM strategic plan is the long-term planning\n                               document used to guide all elements of IRM.\n\n                               The OIG questioned whether a three-year planning document\n                               provides sufficient foresight necessary to develop a robust,\n                               agency-wide strategy. Our review of 14 federal agencies\xe2\x80\x99\n                               IRM strategic plans found that 10 of the 14 agencies\xe2\x80\x99 IRM\n                               strategic plans covered five or more years. Therefore, OCIO\n                               could better align the IT strategy to the agency\xe2\x80\x99s strategic\n                               plan and prepare for emerging technology and future\n                               initiatives by expanding the IT strategic plan to five years.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management        6\n\x0c                               IRM Elements. The IRM strategic plan did not include all\n                               elements of IRM. Specifically, the plan provided by OCIO\n                               did not describe how it supported the Paperwork Reduction\n                               Act (covering information collection, privacy, and records\n                               management), Freedom of Information Act, nor E-\n                               government initiatives.\n\n                               GAO recognized that many federal agencies did not include\n                               these additional OCIO responsibilities in their IRM strategic\n                               plans and noted this deficiency in GAO-04-49,\n                               \xe2\x80\x9cGovernmentwide Strategic Planning, Performance,\n                               Measurement, and Investment Management Can Be Further\n                               Improved.\xe2\x80\x9d GAO stated that:\n\n                                       [IRM Strategic] plans generally include\n                                       individual IT projects and initiatives, security,\n                                       and enterprise architecture elements but do not\n                                       often address other information functions\xe2\x80\x94\n                                       such as information collection, records\n                                       management, and privacy\xe2\x80\x94or the coordinated\n                                       management of all information functions.\n\n                               In the report GAO-04-823, \xe2\x80\x9cFederal Chief Information\n                               Officers Responsibilities, Reporting Relationships, Tenure,\n                               and Challenges,\xe2\x80\x9d GAO tracks these additional responsibilities\n                               to the OCIO based on federal laws. See Appendix D for a list\n                               of the specific CIO responsibilities and statutory requirements\n                               identified by GAO. Therefore, the IRM strategic plan must\n                               include all information resource management elements and\n                               how the CIO ensures proper coordination of information\n                               management and compliance with federal regulations.\n\nIT ROADMAP                     Peace Corps did not have a working document that clearly\n                               defined the current IT environment, its relationship to\n                               business processes, and the desired future IT environment.\n\n                               CCA requires agencies to \xe2\x80\x9cdevelop, maintain, and facilitate\n                               the implementation of a sound and integrated information\n                               technology architecture for the executive agency.\xe2\x80\x9d IT\n                               architecture is \xe2\x80\x9can integrated framework for evolving or\n                               maintaining existing information technology and acquiring\n                               new information technology to achieve the agency\'s strategic\n                               goals and information resources management goals.\xe2\x80\x9d\n\n                               According to OMB Circular A-130, the EA is a roadmap for\n                               transitioning from the current IT environment to the target IT\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management        7\n\x0c                               environment. The EA must guide both strategic and\n                               operational IRM planning. However, Peace Corps\xe2\x80\x99 EA was\n                               outdated. The last documented EA was still in draft form and\n                               dated January 21, 2004. Not all the IT systems described\n                               were still in place and new systems were not included.\n\n                               In addition, Peace Corps did not develop an adequate plan for\n                               a target EA environment. The Peace Corps developed EA\n                               scenarios to describe how IT would support future processes.\n                               However, the scenarios were not descriptive in how the\n                               agency would achieve the future processes described in the\n                               narratives. The EA documents did not provide a roadmap\n                               that would help management identify IT needs and determine\n                               the most feasible solutions.\n\nCONCLUSION                     Without clearly defined IRM and IT strategies, Peace Corps\n                               made short-term decisions that did not ensure the most\n                               efficient and effective use of information resources. Further,\n                               the IRB and Peace Corps offices could not make informed\n                               decisions about IT planning and budgeting. To better ensure\n                               information resources will help the agency achieve its\n                               mission, the Peace Corps must develop an agency-wide IRM\n                               strategy involving all offices and use it to establish an EA\n                               roadmap. These documents will help guide the agency\xe2\x80\x99s IT\n                               decisions and offices\xe2\x80\x99 IT budgets.\n\n\nWE RECOMMEND:\n\n1. That the Peace Corps Director, in conjunction with the Chief Information Officer,\n   develop an Information Resource Management strategic plan that establishes the\n   agency\xe2\x80\x99s long-term information technology goals, describes how information\n   technology supports all information resource management, and connects information\n   technology initiatives to the Peace Corps mission.\n\n2. That the Chief Information Officer update the enterprise architecture to reflect the\n   current information technology environment.\n\n3. That the Chief Information Officer develop an enterprise architecture roadmap that\n   supports how the agency\xe2\x80\x99s information technology initiatives will support the\n   information resource management strategic plan.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management         8\n\x0cPLANNING AND                   Peace Corps did not implement an adequate governance\nINVESTMENT CONTROL             process to select, prioritize, control, and evaluate IT\nPROCESS                        investments. Although OCIO developed an IRB charter, it\n                               did not clearly define how the IRB would fulfill the\n                               responsibilities required by CCA and OMB A-130. Further,\n                               the IRB did not always follow its own written procedures.\n                               As a result, some IRB members were unclear on the IRB\xe2\x80\x99s\n                               mission and questioned the fairness and effectiveness of the\n                               IT investment process.\n\n\n                               The CCA requires federal agencies to develop a capital\n                               planning and investment control process. CCA requires that\n                               the Peace Corps Director design and implement a \xe2\x80\x9cprocess\n                               for maximizing the value and assessing and managing the\n                               risks of the information technology acquisitions of the\n                               executive agency.\xe2\x80\x9d The CCA described the necessary\n                               processes of IT governance to include the selection of IT\n                               investments, application of criteria when considering IT\n                               investments, identification of investment measurements, and\n                               communication of project results to management.\n\n                               To comply with the CCA, Peace Corps established an IRB\n                               consisting of management officials. The IRB charter\n                               experienced several revisions over the last five years, but was\n                               not formalized as agency policy in a Peace Corps Manual\n                               section. It is essential for the agency to define the IT\n                               investment process, including the IRB, in the Peace Corps\n                               Manual to provide the necessary authority and clarification.\n                               In addition, because of the constant staff turnover required by\n                               the Peace Corps Act, defining the process in the Peace Corps\n                               Manual will ensure continuous compliance with the CCA.\n\n                               According to the IRB charter, the IRB responsibilities\n                               included:\n\n                                       \xe2\x80\xa2    Selecting IT projects and creating an IT portfolio.\n                                       \xe2\x80\xa2    Aligning IT investments with budgets and the EA.\n                                       \xe2\x80\xa2    Monitoring and controlling projects against their\n                                            outcomes, costs, schedules, and benefits.\n                                       \xe2\x80\xa2    Evaluating return on investment.\n                                       \xe2\x80\xa2    Recommending and approving IT projects.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management       9\n\x0cIRB RESPONSIBILITIES:          Peace Corps did not establish a consistent method for\n                               selecting and prioritizing IT projects; because it did not\n\xe2\x87\x92SELECT                        clearly define what constituted an IT project, which IT\n ALIGN                         projects required presentation to the IRB, and what\n MONITOR                       documents were required to initiate an IT project. The CCA\n EVALUATE                      requires agencies to develop a process for selecting IT\n                               investments integrated with the budget, financial, and\n                               program management decisions of the agency. It further\n                               requires agencies to develop minimum criteria when\n                               investing in IT, including criteria related to the return on\n                               investment and specific quantitative and qualitative analyses\n                               for comparing and prioritizing alternative IT projects.\n                               Establishing criteria for selecting IT investments helps ensure\n                               that an agency compares investments consistently and that IT\n                               decisions are transparent.\n\n                               Peace Corps had a Systems Development Life Cycle (SDLC)\n                               Handbook from 2006 that provided a standard methodology\n                               for categorizing IT projects and listed the required\n                               documentation. For example, the SDLC Handbook defined\n                               the first stage in a project\xe2\x80\x99s life cycle as the concept and\n                               business case state and required the following documents:\n                                   \xe2\x80\xa2   a project concept\n                                   \xe2\x80\xa2   commercial purchase versus government developed\n                                       evaluation\n                                   \xe2\x80\xa2   EA compliance statement\n                                   \xe2\x80\xa2   business case\n                                   \xe2\x80\xa2   preliminary security risk\n                                   \xe2\x80\xa2   timeline and cost estimates\n\n                               According to the SDLC handbook, these documents were\n                               required before IRB approval and release of funds for the\n                               project. However, the IRB did not use the SDLC to\n                               determine which documents and information were required\n                               when selecting IT projects. As a result, management could\n                               not evenly compare IT projects and make the most informed\n                               decisions.\n\n                               Classification. The Peace Corps SDLC project classification\n                               spreadsheet assigns projects to one of three tiers: tier 1\n                               projects cost less than $25,000 and do not require IRB\n                               presentation; tiers 2 and 3 require additional documentation\n                               and IRB approval. The different levels of projects and\n                               documentation are important to ensure the agency fulfills all\n                               IT and procurement requirements while avoiding over\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    10\n\x0c                               burdensome and unnecessary procedures. OMB Capital\n                               Programming Guide advises agencies to use a stratified\n                               capital programming process involving more or less detail\n                               and review based on the size or strategic importance of\n                               proposed investments. The guide also recommends that\n                               agencies have well documented thresholds clearly\n                               disseminated and implemented across the organization.\n\n                               However, Peace Corps did not consistently use the SDCL\n                               project classification spreadsheet when developing IT\n                               projects. Without these classification spreadsheets, project\n                               managers could not determine which documents were\n                               required. During our review of IT project documentation,\n                               seven out of 15 selected projects did not include a\n                               classification spreadsheet that identified the tier level. As a\n                               result, we could not determine whether the projects initially\n                               required IRB presentation and the required level of\n                               documentation.\n\n                               An April 2009 revision to the IRB charter required EAAB\n                               approval for all projects and IRB approval for all projects that\n                               are politically sensitive, high risk, impacting multiple offices,\n                               or with total cost above $25,000. However, OCIO had not\n                               defined whether the level of documentation for each project\n                               would remain in accordance with the SDLC handbook.\n\n                               Major IT Investments. Proper project classification is also\n                               necessary to ensure compliance with federal regulations.\n                               OMB requires agencies to prepare a list of all IT investments\n                               called an IT portfolio (OMB exhibit 53) and a business case\n                               for all major investments (OMB exhibit 300). OMB Circular\n                               A-11, part 7, section 300 defines a major investment as:\n                                       A system or an acquisition requiring special\n                                       management attention because it: has significant\n                                       importance to the mission or function of the\n                                       agency, a component of the agency or another\n                                       organization; is for financial management and\n                                       obligates more than $500,000 annually; has\n                                       significant program or policy implications; has\n                                       high executive visibility; has high development,\n                                       operating, or maintenance costs; is funded\n                                       through other than direct appropriations; or is\n                                       defined as major by the agency\'s capital\n                                       planning and investment control process.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management          11\n\x0c                               Peace Corps had prepared an exhibit 53 each year, but had\n                               not updated or created an exhibit 300 since September 2003.\n                               OCIO listed five systems in its FY 2009 OMB exhibit 53 that\n                               were essential to the Peace Corps mission: Odyssey,\n                               Volunteer Delivery System, Human Capital Management\n                               project, infrastructure, and Enterprise Architecture Program.\n                               The CIO stated that OMB did not require Peace Corps to\n                               provide exhibit 300s for their projects, but could not provide\n                               a waiver or other documentation supporting this decision.\n\n                               An OCIO project manager also said that an updated exhibit\n                               300 was not necessary because many of the Peace Corps IT\n                               projects were fully developed and in use. However, based on\n                               a review of 10 other federal agencies, all 10 had developed\n                               exhibit 300s for IT projects in use. Furthermore, the exhibit\n                               300 contains information related to projects that are in use,\n                               including sections that list operations and maintenance costs\n                               to compare with original estimates, performance indicators\n                               that include actual results, and fields for updates to security\n                               testing schedules for operational systems. Many of the Peace\n                               Corps IT projects were also still undergoing enhancements\n                               that should have been included in updates to an exhibit 300.\n                               OMB requires additional sections for exhibit 300s of major\n                               IT projects that are considered mixed life-cycle investment,\n                               meaning \xe2\x80\x9can investment having both development /\n                               modernization / enhancement (DME) and steady state\n                               components.\xe2\x80\x9d\n\n                               The exhibit 300 is a useful tool designed to help agencies\n                               plan, budget, acquire, and manage capital assets. OMB\n                               states, \xe2\x80\x9cFor IT, exhibit 300s are designed to be used as one-\n                               stop documents for many of IT management issues such as\n                               business cases for investments, IT security reporting, Clinger\n                               Cohen Act implementation, E-Gov Act implementation,\n                               Government Paperwork Elimination Act implementation,\n                               agency\xe2\x80\x99s modernization efforts, and overall project\n                               (investment) management. It is important to understand, all\n                               information necessary to complete an exhibit 300 already\n                               exists as part of the agency\'s overall Information Resources\n                               Management activities and within project specific\n                               documentation.\xe2\x80\x9d The exhibit 300 is also intended to ensure\n                               that each investment supports the agency\xe2\x80\x99s mission statement,\n                               long-term goals and objectives, and annual performance\n                               plans.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     12\n\x0c                                    Therefore, the Peace Corps must determine which IT projects\n                                    require an exhibit 300 and maintain current information on\n                                    those projects to ensure compliance with OMB circular A-11\n                                    and federal IT investment requirements.\n\n                                    Presentation. After identifying the need for a potential IT\n                                    project, the project\xe2\x80\x99s sponsor 2 presents a request to the IRB.\n                                    The IRB approves a project for recommendation to the\n                                    Director, requests additional information, or rejects the\n                                    project. However, the IRB did not require consistent\n                                    information and did not have selection criteria to compare\n                                    projects. GAO-04-49 states:\n                                             To achieve desired results, it is important that\n                                             agencies have a selection process that, for\n                                             example, uses selection criteria to choose the\n                                             IT investments that best support the\n                                             organization\xe2\x80\x99s mission and that prioritizes\n                                             proposals.\n\n                                    The project sponsor\xe2\x80\x99s presented a variety of information to\n                                    the IRB through demonstrations, slide presentations, or\n                                    handouts. The presentations did not always include cost\n                                    estimates, alternatives, and projected return on investment.\n                                    Without standard information, the IRB could not make a fully\n                                    informed decision on which projects merited approval.\n\n                                    OCIO Projects. The IRB had limited control over the\n                                    selection of OCIO IT projects. The OCIO maintained a\n                                    separate list of OCIO IT projects presented to the IRB for\n                                    informational purposes. As a result, the OCIO\xe2\x80\x99s IT projects\n                                    were not subject to the same IRB review and approval\n                                    process as IT projects submitted by other offices within the\n                                    agency. In addition, the OCIO\xe2\x80\x99s list inappropriately included\n                                    and prioritized several of its processes, such as security\n                                    assessments and disaster recovery testing. Some of the OCIO\n                                    IT projects presented to the IRB were part of the OCIO\xe2\x80\x99s\n                                    normal business operations and not IT projects.\n                                    Furthermore, the list of OCIO IT projects was incomplete,\n                                    sometimes skipping numbers in the priority listing and\n                                    excluding some OCIO IT projects. For example, the OCIO\n                                    contracted for an E-vault data management project in\n                                    September 2007, but did not include the project in its FYs\n                                    2007 and 2008 lists of project. The project\xe2\x80\x99s purpose was to\n                                    allow for more efficient data storage, search, and retrieval\n\n2\n    The project sponsor is the Peace Corps office requesting the IT project.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management           13\n\x0c                                functionality. The project proposal scheduled work was\n                                October 1 - 31, 2007, with an estimated cost of $101,000 for\n                                the software and storage equipment and 100 labor hours.\n                                Therefore, OCIO should have presented the project for\n                                approval to the IRB because it exceeded the $25,000\n                                threshold.\n\n                                Although the project was never completed, OCIO has already\n                                paid the contractor $46,368 for the project. As of May 2009,\n                                OCIO had not installed the E-vault software and no longer\n                                had plans to use it. Had the OCIO followed the required IT\n                                investment process and conducted the necessary cost analysis,\n                                it may have avoided spending $46,368.\n\n                                Budget Integration. Peace Corps offices requested and\n                                spent resources on IT projects without the required IRB\n                                approval. CCA requires the integration of budget, financial,\n                                and program management decisions for IT investments.\n                                Before an office receives funds for IT projects, it should have\n                                the proper approvals from the EAAB or IRB. This will\n                                ensure budgetary resources align with the agency\xe2\x80\x99s IT\n                                strategy and target environment.\n\n                                IRB approval was not required before some offices received\n                                additional agency funds for IT projects. For example, in May\n                                2009 OCFO received an additional $1,080,100 in agency\n                                funds to acquire budget software without presenting the\n                                information to the IRB and EAAB. Although Peace Corps\n                                was revising the IRB process when the OCFO submitted this\n                                request for agency resources (RAR), 3 OCFO still should\n                                have communicated with senior management and OCIO staff\n                                before requesting the funds.\n\n                                During our review, we located RAR instructions that required\n                                IT related requests be approved by IRB before submission to\n                                the OCFO. This ensured the project was reasonable and\n                                feasible before the agency assigned its resources. However,\n                                neither OCFO nor OCIO budget personnel were aware of\n                                these instructions.\n\nIRB RESPONSIBILITIES:           Peace Corps did not maintain adequate documentation to\n                                justify IT project prioritization. Prioritization helps ensure\n SELECT                         that the agency and OCIO properly align resources to meet\n\xe2\x87\x92ALIGN                          statutory requirements and achieve strategic goals.\n\n3\n An RAR is the form used to request additional agency funds to pay for an activity or requirement not\nsufficiently covered by an office\xe2\x80\x99s allotted funds.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management                 14\n\x0c MONITOR                       Prioritization. The IRB was responsible for prioritizing\n EVALUATE                      agency projects. However, IRB members did not\n                               fully understand the process because the agency did not have\n                               a standard method for evaluating and comparing projects for\n                               prioritization. As a result, the agency\xe2\x80\x99s IT priority list was\n                               not an effective tool for determining resource allocation. For\n                               example, Peace Corps initiated the Magellan project in\n                               January 2007, to provide an integrated system to better\n                               connect domestic and international databases. This project\n                               was an agency-wide initiative requiring several years, all\n                               domestic and overseas operations, and an original estimate of\n                               $9.4 million to complete. However, the IRB assigned the\n                               Magellan project priority number 15 out of 21 in FY 2008.\n                               Because of the size and impact of the Magellan project, the\n                               IRB should have assigned it a higher priority.\n\n                               The CIO prioritized OCIO projects. The OCIO project\n                               prioritization lists from FYs 2007 through 2009 show that the\n                               CIO did not properly prioritize federal requirements. For\n                               example,\n\n                                   \xe2\x80\xa2   In April 2007, CIO listed a project to comply with\n                                       OMB Memorandum 06-16 as priority 12 out of 15.\n                                       OMB required agencies to comply with this policy by\n                                       August 2006.\n\n                                   \xe2\x80\xa2   In April 2008, CIO listed a project to comply with\n                                       OMB Memorandum 07-11 as priority 11 out of 13.\n                                       OCIO originally scheduled this project to meet the\n                                       OMB required completion date of February 1, 2008.\n                                       Because of the delays and change in staff, OCIO had\n                                       to revisit the requirements and updated the estimated\n                                       completion date to July 2009.\n\n                                   \xe2\x80\xa2   In April 2008, CIO listed the Federal Information\n                                       Security Management Act required certification and\n                                       accreditation process for one system as priority 12 out\n                                       of 13.\n\n                               As previously discussed, the Peace Corps had not fully\n                               documented its IT strategic plan and target EA. Without a\n                               clear IT strategy, the IRB and OCIO prioritization was\n                               subjective and did not clearly align agency resources to its\n                               goals. Further, because the IRB did not maintain detailed\n                               meeting minutes to justify its decisions, the IRB\xe2\x80\x99s\n                               prioritization of IT investments was vulnerable to scrutiny.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management       15\n\x0cIRB RESPONSIBILITIES:          Peace Corps did not adequately monitor projects throughout\n                               their life cycle to ensure projects met budget and schedule\n  SELECT                       targets.\n ALIGN\n\xe2\x87\x92MONITOR                       CCA required agencies to provide the means for senior\n EVALUATE                      management personnel to obtain timely information regarding\n                               the progress of an investment in an information system. This\n                               includes a system of milestones for measuring progress, on an\n                               independently verifiable basis, in terms of cost, capability of\n                               the system to meet specified requirements, timeliness, and\n                               quality.\n\n                               The OMB Circular A-130 requires agencies to:\n                                   \xe2\x80\xa2   Institute performance measures and management\n                                       processes that monitor actual performance compared\n                                       to expected results. Agencies must use a performance\n                                       based management system that provides timely\n                                       information regarding the progress of an information\n                                       technology investment. The system must also\n                                       measure progress towards milestones in an\n                                       independently verifiable basis, in terms of cost,\n                                       capability of the investment to meet specified\n                                       requirements, timeliness, and quality.\n                                   \xe2\x80\xa2   Establish oversight mechanisms that require periodic\n                                       review of information systems to determine how\n                                       mission requirements might have changed, and\n                                       whether the information system continues to fulfill\n                                       ongoing and anticipated mission requirements. These\n                                       mechanisms must also require information regarding\n                                       the future levels of performance, interoperability, and\n                                       maintenance necessary to ensure the information\n                                       system meets mission requirements cost effectively.\n                                   \xe2\x80\xa2   Ensure that major information systems proceed in a\n                                       timely fashion towards agreed-upon milestones in an\n                                       information system life cycle. Information systems\n                                       must also continue to deliver intended benefits to the\n                                       agency and customers, meet user requirements, and\n                                       identify and offer security protections.\n\n                               The IRB charter states, \xe2\x80\x9cthe IRB reviews and prioritizes\n                               existing \xe2\x80\x98Development,\xe2\x80\x99 \xe2\x80\x98Enhancement,\xe2\x80\x99 and \xe2\x80\x98O&M\xe2\x80\x99\n                               [Operations and Maintenance] projects for cost, progress, and\n                               alignment compliance as project progresses.\xe2\x80\x9d However, the\n                               charter does not document what the IRB would review.\n                               Project sponsors occasionally presented updates to the IRB on\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     16\n\x0c                               project progress, but the information varied and rarely\n                               included cost and schedule information.\n\n                               Consolidating Project Information. The Peace Corps had\n                               not established a process to ensure that the PMO received all\n                               of the necessary cost and schedule information necessary to\n                               track IT projects. The PMO was responsible for reporting\n                               project status to the IRB and inform management of project\n                               costs that exceeded budget and missed milestones. The\n                               OCIO PMO used a three-color metric (ranging from green -\n                               on target to red \xe2\x80\x93 significantly behind) for each project\xe2\x80\x99s\n                               budget, schedule, and scope in the IRB project lists.\n                               However, the PMO determined the metrics based on\n                               discussions with the project managers or a TRM instead of\n                               verifying the information with cost and schedule\n                               documentation. As a result, the OCIO and agency\n                               management did not have visibility over all IT projects and\n                               could not make informed decisions about resource allocation,\n                               project continuation, or early termination.\n\n                               Tracking Costs. Peace Corps had not developed a process to\n                               accumulate all costs by project and compare the results to\n                               original estimates. IT projects costs may include contract\n                               costs, security and training, internal labor, and equipment.\n                               During our review, we determined that projects did not\n                               always include security and training in costs totals and did not\n                               track the total number of internal labor hours. This issue was\n                               further complicated by the lack of coordination between the\n                               OCIO and project sponsors.\n\n                               Tracking and reporting costs is necessary to comply with\n                               federal regulations and ensure projects are not wasteful. For\n                               example, the Federal Acquisition Streamlining Act of 1994\n                               requires agency heads to achieve on average, 90% of cost and\n                               schedule goals for major and non-major acquisition programs\n                               of the agency. Further, OMB has issued policies on\n                               implementing an earned value management system for IT\n                               projects to ensure performance measurement baselines have\n                               clear cost, schedule, and performance goals.\n\n                               An agency-wide costing technique and tracking mechanism\n                               would help ensure all offices involved with the IT project\n                               report associated costs. This would allow agency\n                               management to make more informed decisions about IT\n                               projects, such as reallocating resources, and ensure\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     17\n\x0c                               compliance with federal regulations. We discuss this issue\n                               further in the Project Management paragraph.\n\n                               Scheduling Work. The IRB did not have sufficient\n                               information concerning project schedules and milestones to\n                               provide adequate oversight of IT projects. In the PMO\n                               reports to the IRB, projects were consistently listed as behind\n                               schedule. For example, the PMO December 2008 report\n                               listed seven out of 17 agency projects (41%) and four out of\n                               eight OCIO projects (50%) as behind schedule.\n\n                               However, we determined that the percent of projects behind\n                               schedule exceeded these numbers, because the PMO\n                               incorrectly reported some projects as on schedule. For\n                               example, the PMO reported the property management system\n                               on schedule in December 2008, even though it had an original\n                               completion date of September 2008.\n\n                               The IRB did not have specific information on work schedules\n                               because projects were not clearly defined and divided by\n                               phases. For example, the PMO December 2008 report\n                               included the human capital management system with an\n                               estimated completion date of July 1, 2007. This date\n                               represented the original project completion date; the system\n                               was completed but remained on the list because of continued\n                               security testing and enhancements. Further, projects such as\n                               Magellan, online collaboration, and the Volunteer Delivery\n                               System were difficult to track against schedules because they\n                               involved several projects; as the projects developed, OCIO\n                               separated them into various smaller projects. In order for the\n                               IRB to properly monitor projects, the OCIO must delineate\n                               the specific IT projects and the different project phases.\n\n                               OCIO implemented the work breakdown structure for some\n                               of its IT projects. The work breakdown structure lists\n                               specific tasks and target completion dates. This information\n                               is essential for the IRB to properly monitor project schedules.\n                               Some smaller projects may not require a work breakdown\n                               structure, but need a process to track work in comparison to\n                               the scheduled completion.\n\nIRB RESPONSIBILITIES:          The Peace Corps did not review projects after their\n                               implementation to ensure the agency achieved the desired\n   SELECT                      return on investment and to document lessons learned. OMB\n   ALIGN                       Circular A-130 states that as part of the evaluation component\n   MONITOR                     of the capital planning process an agency must:\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     18\n\x0c\xe2\x87\x92EVALUATE                          \xe2\x80\xa2   Conduct post-implementation reviews of information\n                                       systems and information resource management\n                                       processes to validate estimated benefits and costs, and\n                                       document effective management practices for broader\n                                       use.\n                                   \xe2\x80\xa2   Evaluate systems to ensure positive return on\n                                       investment and decide whether continuation,\n                                       modification, or termination of the systems is\n                                       necessary to meet agency mission requirements.\n                                   \xe2\x80\xa2   Document lessons learned from the post-\n                                       implementation reviews. Redesign oversight\n                                       mechanisms and performance levels to incorporate\n                                       acquired knowledge.\n                                   \xe2\x80\xa2   Re-assess an investment\'s business case, technical\n                                       compliance, and compliance against the EA.\n                                   \xe2\x80\xa2   Update the EA and IT capital planning processes as\n                                       needed.\n\n                               The SDLC handbook required lessons learned documentation\n                               and post-implementation evaluation upon completion of an IT\n                               project. However, none of the nine completed IT projects\n                               reviewed contained a post implementation evaluation or\n                               lessons learned documentation. In addition, project sponsors\n                               did not always show cost totals or return on investment when\n                               presenting the completed project to the IRB. This\n                               information is necessary at the end of the project to determine\n                               whether the project fulfilled its expectations, to reevaluate the\n                               benefits, and to identify best practices.\n\nCONCLUSION                     The Peace Corps IT governance process relied on the IRB to\n                               select and prioritize IT projects, recommend IT projects to the\n                               Director, monitor and control projects, evaluate return on\n                               investment, and align IT investments with budgets and EA.\n                               However, the IRB process for managing the agency\xe2\x80\x99s IT\n                               projects was not clearly defined and documented. As a result,\n                               IRB decisions were not transparent and management did not\n                               have assurance that the IT governance process promoted the\n                               most efficient use of IT resources.\n\n\nWE RECOMMEND:\n\n4. That the Chief Information Officer develop a Peace Corps Manual section to\n   describe the information technology governance process, including the various\n   review boards and their functions.\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management      19\n\x0c5. That the Chief Information Officer update the System Development Life\n   Cycle handbook to discuss the current information technology life cycle and\n   required documentation.\n\n6. That the Chief Information Officer review all information technology projects\n   to determine whether any require an exhibit 300 and prepare the\n   documentation when necessary.\n\n7. That the Investment Resource Board develop and implement a standard list of\n   required information and selection criteria for all information technology\n   projects presented for approval. The Investment Resource Board must use this\n   criteria to assist the Information Resource Board in prioritizing information\n   technology projects.\n\n8. That the Investment Resource Board maintain records to support all approval\n   and prioritization decisions and ensure the information is readily available to\n   agency management.\n\n9. That the Investment Resource Board and Enterprise Architecture Advisory\n   Board establish the process and criteria that will be used to monitor\n   information technology projects during development and implementation.\n\n10. That the Chief Information Officer develop a costing technique to track total\n    information technology costs and establish guidelines for how the agency will\n    implement the costing technique for information technology projects.\n\n11. That the Investment Resource Board and Enterprise Architecture Advisory\n    Board establish the process and criteria that will be used to evaluate\n    information technology projects after implementation.\n\n\n\nPROJECT MANAGEMENT The OCIO did not implement a process to ensure IT projects\n                   progressed timely and all required documentation was\n                   maintained throughout the project life-cycle. The SDLC\n                   handbook lists the required milestones and associated\n                   documentation necessary for IT projects from concept to\n                   retirement. The SDLC established milestones for presenting\n                   to the EAAB and IRB and the required documents such as\n                   an IT project justification, costs comparisons, IT security\n                   impact, and cost and schedule tracking sheets. This\n                   documentation ensured management had the information to\n                   make informed decisions and helped the agency comply\n                   with OMB Circular A-130 and other federal regulations.\n                   However, project managers and agency sponsors did not\n                   follow the SDLC handbook because OCIO did not clearly\n                   define responsibilities and enforce the standards.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   20\n\x0cROLES AND                      The OCIO did not adequately communicate with project\nRESPONSIBILITIES               sponsors to ensure projects progressed timely. Depending on\n                               the size and impact of an IT project, numerous personnel\n                               from different Peace Corps offices may be involved; such as\n                               OCIO IT specialists, project sponsors, contracting OCIO\n                               security team, and IT training staff. Although the SDLC\n                               handbook had a list of deliverables required for IT projects by\n                               phase, IT personnel were not aware of the handbook and did\n                               not follow its guidelines. A clearly defined list of required\n                               documents and document owners is essential to ensuring that\n                               all personnel involved are aware of their responsibilities.\n\n                               For agency projects, the OCIO Technical Relationship\n                               Managers (TRM)\xe2\x80\x99s role is to support the project sponsor by\n                               guiding them through the IT governance process and helping\n                               them understand and articulate their business requirements\n                               and technology needs. TRMs also help the CIO PMO\n                               maintain a list of projects and their status. However, several\n                               project sponsors said they were not fully informed of the\n                               requirements during development and who was responsible\n                               for preparing and maintaining the required documents.\n\nDOCUMENTATION                  During our review, we determined that the TRMs did not\nCONSOLIDATION AND              consistently maintain documentation to support IT project\nRETENTION                      cost analysis and estimates and often relied on the project\n                               sponsor to maintain the cost documentation. As a result, the\n                               IT project documentation was not readily available to support\n                               requirements. Without an adequate central repository for IT\n                               project documentation, it was difficult to verify that IT\n                               managers followed Peace Corps policies and complied with\n                               federal regulations.\n\n                               Incomplete Documentation. The OCIO had a PMO to track\n                               project development and provide a central repository for all\n                               agency IT projects. The PMO established project folders on\n                               the agency\xe2\x80\x99s network to retain all of the documentation\n                               required in the SDLC handbook. However, the TRMs did not\n                               place documents in the folders and the PMO did not enforce\n                               the practice. Therefore, project information did not flow to\n                               the PMO.\n\n                               During our review of 15 IT projects, we determined that the\n                               PMO records were incomplete. See the table for a complete\n                               description of which documents were not maintained in a\n                               readily available location.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    21\n\x0c                                                Documentation Missing from\n                                              the Project Management Folders\n                                                              Projects without Required\n                                   Name of Document\n                                                                  Documentation*\n                                Project initiation form                   10\n                                Project classification sheet               7\n                                Risk Assessment                           10\n                                IT security assessment                    11\n                                Scope documentation                        7\n                                Work breakdown structure                   6\n                                Procurement documents                      6\n                                Test plan                                 10\n                                Training plan                             12\n                                Time tracking sheet                       12\n                                Cost tracking sheet                       10\n                                Weekly/monthly updates                     9\n                               * Based on a judgmental sample of 15 IT projects.\n\n\n                               Cost Benefit Analysis. One of the documents required by\n                               the SDLC was the cost benefit analysis. This analysis is\n                               especially important to ensure compliance with federal\n                               regulations. OMB A-130 requires agencies to \xe2\x80\x9cprepare and\n                               update a benefit-cost analysis for each information system\n                               throughout its life cycle\xe2\x80\x9d and \xe2\x80\x9csupport work processes that it\n                               has simplified or otherwise redesigned to reduce costs,\n                               improve effectiveness, and make maximum use of\n                               commercial, off-the-shelf technology.\xe2\x80\x9d\n\n                               Neither the TRM nor the project sponsor could provide the\n                               cost documentation for three of the 10 agency IT projects we\n                               reviewed. One of the projects was a planned property\n                               management system. Because of frequent staff turnover,\n                               several TRMs had assisted the project through initiation.\n                               After 11 months of project design, a new TRM assumed\n                               responsibility for the project, but she did not have the\n                               required documentation to support the decision for OCIO\n                               staff to develop the system. The new TRM had to re-evaluate\n                               the project requirements and cost analysis. As a result, the\n                               agency may have avoided spending approximately $52,763 in\n                               labor costs had OCIO and the project sponsor developed and\n                               maintained the necessary cost documentation to support the\n                               decision to build the system.\n\nCONCLUSION                     The OCIO did not implement an effective process to maintain\n                               all IT project documentation throughout the project\xe2\x80\x99s life-\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    22\n\x0c                               cycle. Although the SDLC handbook listed the required\n                               documents necessary for IT projects, Peace Corps did not\n                               follow it. For agency projects, the TRM did not clearly\n                               define responsibilities for creating and maintaining\n                               documentation, causing confusion about which documents\n                               the project sponsor or OCIO staff would create and store. In\n                               addition, OCIO did not fully utilize the PMO for monitoring\n                               and reporting all IT projects. As a result, IT project\n                               documentation was not readily available and could not always\n                               support projects costs and schedules. Without this\n                               information management could not make well informed\n                               decisions concerning project initiation, development,\n                               continuation, and termination.\n\n\nWE RECOMMEND:\n\n12. That the Chief Information Officer issue guidance that describes the roles and\n    responsibilities of the technical representatives and their relationship with project\n    sponsors and managers. The guidance must clearly define who is responsible for\n    each required document throughout the information technology project\xe2\x80\x99s life cycle\n    and who will retain the documentation.\n\n13. That the Chief Information Officer develop and enforce standard operating\n    procedures that will ensure the required information technology documentation is\n    prepared timely and maintained in a readily available location for the life of the\n    project.\n\n14. That the Chief Information Officer design the layout within the information\n    technology\xe2\x80\x99s collaboration tool to assist users in determining which documentation is\n    required and who is responsible for each step of the information technology process.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     23\n\x0cFINDING B. OFFICE OF THE CHIEF INFORMATION OFFICER\n           BUDGET FORMULATION\nOverall, Peace Corps had budgetary controls in place and operating effectively to ensure\nthat OCIO fund allocation and expenditures were necessary, justified, and properly\napproved. However, OCIO commingled its operation and maintenance fund account\nand IT centrally managed resources fund account and relied heavily on additional\nagency funds. This occurred because:\n\n    \xe2\x80\xa2   OCIO did not define and separate the OCIO fund accounts.\n    \xe2\x80\xa2   OCFO did not provide Peace Corps offices with adequate guidance concerning\n        the request of additional agency funds and failed to monitor the use of the\n        additional funds.\n\nAs a result, OCIO did not practice good budget management and increased the risk that\nessential functions would not have adequate funding. In addition, OCFO did not have\nsufficient administrative control of funds to ensure the most efficient use of agency\nresources and could not make fully informed decisions when providing additional\nresources to offices.\n\nADMINISTRATIVE CONTROL OF FUNDS\nPeace Corps budget controls over OCIO resources were in place and operating\neffectively. Peace Corps policies establish key administrative controls over funds and\nreview processes. The Peace Corps Director allots all funds to the Chief Financial\nOfficer. The OCFO then creates sub-allotments at the highest possible organizational\nlevel consistent with effective and efficient management. A separate allotment to each\nallottee or sub-allottee is made for each fund account.\n\nThe Chief Financial Officer delegates authority to incur obligations and make\nexpenditures through the issuance of \xe2\x80\x9coperating budget advices.\xe2\x80\x9d These advices are\nreflected in the agency\xe2\x80\x99s operating plan and are based on operating budget levels\napproved by the allottee. Through the allotment process, statutory responsibility is\nplaced on the allottee to ensure that obligations are not incurred and expenditures are not\nmade in excess of the allotment.\n\nThe Peace Corps\' Office of Budget and Analysis, within the OCFO, carefully monitors\nautomated accounting reports and monthly obligations of administrative budget holders.\nThe OCFO has policies in place to provide effective controls and oversight to mitigate\nthe risk of over-obligation and misuse of agency funds.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   24\n\x0cSEPARATION OF OCIO              The OCIO did not adequately define and separate its two\nFUND ACCOUNTS                   fund accounts.\n\n\n                                The OCIO manages two fund accounts: (1) OCIO operations\n                                and maintenance and (2) IT centrally managed resources.\n                                OCIO used these funds for IT equipment, OCIO salaries,\n                                OCIO travel expenses, and IT services. During interviews,\n                                OCFO personnel explained that the OCIO operations and\n                                maintenance account contains the costs that do not fluctuate\n                                except for inflation. The operating budgets showed that the\n                                OCIO operations and maintenance account funded salaries,\n                                travel costs, equipment, IT security, training, and supplies;\n                                while the IT centrally managed account funded disaster\n                                recovery, telecommunications, advisory services, and agency\n                                IT subscriptions.\n\n                                The Peace Corps\xe2\x80\x99 FY 2009 budget request sent to OMB\n                                stated that the OCIO operations and maintenance account\n                                was for the OCIO office to provide \xe2\x80\x9cleadership for and\n                                management of the development and application of IT and\n                                methodologies in support of the Peace Corps\xe2\x80\x99 mission at\n                                headquarters, U.S. regional offices, and overseas posts. It\n                                serves as the primary source of IT advice and counsel to the\n                                agency director.\xe2\x80\x9d It also stated that the IT centrally managed\n                                funds included \xe2\x80\x9cthe costs of telecommunications, data center\n                                operations, mainframe and distributed computer\n                                environments, overseas equipment, disaster recovery, and\n                                enterprise information architecture.\xe2\x80\x9d\n\n                                However, we determined that OCIO did not always adhere to\n                                these definitions. For example, OCIO assigned $127,000 for\n                                disaster recovery to the OCIO operations and maintenance\n                                account. Further, OCIO paid for all travel and training costs\n                                using the OCIO operations and maintenance account\n                                regardless of whether the expense related to day-to-day\n                                OCIO operations, overseas operations, or agency IT.\n\n                                In FY 2008 and early FY 2009, OCIO and OCFO revised the\n                                two accounts. However, Peace Corps still needs to clearly\n                                define the two accounts and delineate costs accordingly. The\n                                separation of funds is necessary for budget management and\n                                to ensure OMB and Congress are adequately informed of the\n                                Peace Corps budgets plan.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    25\n\x0cWE RECOMMEND:\n\n15. That the Chief Financial Officer in conjunction with the Chief Information Officer\n    clearly define the Office of the Chief Information Officer\xe2\x80\x99s operations and\n    maintenance account and the information technology centrally managed account and\n    include the updated definition in the annual Peace Corps budget submission.\n\n16. That the Chief Information Officer establish procedures to ensure the obligations are\n    properly assigned to the Office of the Chief Information Officer\xe2\x80\x99s operations and\n    maintenance account and the information technology centrally managed account\n    based on the account definitions.\n\n\n\n\nREQUEST FOR AGENCY              Peace Corps had not established guidance on the use of\nRESOURCES                       agency resources to cover unfunded requirements.\n\n\n                                When an office requests additional funds, it submits a\n                                Request for Agency Resources (RAR) through the OCFO to\n                                the Director. The OCFO budget analysts work with the\n                                offices submitting the request to determine whether the\n                                request is justified and reasonable and makes\n                                recommendations to the Director\xe2\x80\x99s office. However, OCFO\n                                did not document the RAR process, which allowed offices to\n                                present varied levels of documents and support.\n\n                                RAR Supporting Documentation. Without clear guidance\n                                concerning RAR preparation and responsibilities, the OCFO\n                                did not ensure requestors consistently supported and justified\n                                their submission. In order to ensure consistent information\n                                when evaluating how to allocate agency resources, it is\n                                essential that offices understand which costs to include, what\n                                to use as support, and how the IRB process relates to IT\n                                requests.\n\n                                We identified several inefficiencies and discrepancies in the\n                                OCIO\xe2\x80\x99s RARs that OCFO should have identified and\n                                required more information for before processing the request.\n                                In FYs 2007, 2008, and 2009; OCIO:\n                                    \xe2\x80\xa2   Submitted numerous RARs for the same project.\n                                        This was not efficient and did not ensure OCFO and\n                                        the Director had complete visibility of the total\n                                        projects costs and requirements.\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    26\n\x0c                                    \xe2\x80\xa2   Did not always provide specific information\n                                        regarding how requests fulfilled office and agency\n                                        needs and aligned to the agency\xe2\x80\x99s plan.\n                                    \xe2\x80\xa2   Did not justify how the cost and labor hour estimates\n                                        were calculated.\n                                    \xe2\x80\xa2   Did not always include total costs associated with a\n                                        request, such as future maintenance costs, security\n                                        costs, and labor costs.\n                                    \xe2\x80\xa2   Did not always provide an effective performance\n                                        measurement to ensure the project funded by the\n                                        RAR met goals and expectations.\n\n                                Therefore, OCFO allowed the OCIO to receive additional\n                                agency resources without fully justifying the request or\n                                providing support to demonstrate that the funds were used\n                                for the requested purpose. As a result, OCFO did not\n                                maintain sufficient administrative control of funds to ensure\n                                the most efficient use of agency resources and could not fully\n                                informed decisions when providing additional resources to\n                                offices.\n\n                                OCIO Use of RARs. OCIO relied heavily on RARs to fund\n                                essential business activities. We determined that more than\n                                31% of the OCIO\xe2\x80\x99s budget was funded by RARs over the\n                                last two and half years. Based on a review of FY 2007,\n                                2008, and 2009 OCIO RARs, we determined that more than\n                                50% were requests for funds to fulfill federal mandates and\n                                routine OCIO activities such as staff training, IT refresh, and\n                                security testing. The Director approved the OCIO RARs for\n                                the federal mandates and routine OCIO activities. However,\n                                by not ensuring funding at the beginning of the fiscal year,\n                                Peace Corps increased the risk that essential mission-related\n                                activities will not be completed in a timely manner.\n\n                                In 2008, the OCIO performed an analysis of the its base\n                                budget, recognizing that RARs were covering budget\n                                shortfalls, and that in order to protect its IT investment, core\n                                IT services should be fully funded in baseline in order to\n                                facilitate effective financial planning.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management        27\n\x0cWE RECOMMEND:\n\n17. That the Chief Financial Officer establish standard operating procedures concerning\n    the preparation and submission of the requests for agency resources. Specifically, the\n    guidance must describe which costs to include, establish what documentation is\n    necessary to support the cost estimates, and require information review board\n    approval for requests related to information technology.\n\n18. That the Chief Information Officer, in conjunction with the Chief Financial Officer,\n    review the Office of the Chief Information Officer\xe2\x80\x99s requests for agency resources to\n    determine whether any of the costs should be included in the operating budget to\n    mitigate the risk that essential information technology activities are not funded in a\n    timely manner.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   28\n\x0cFINDING C. OFFICE OF THE CHIEF INFORMATION OFFICER\n           BUDGET MANAGEMENT\nThe OCIO did not adequately oversee contracts and manage IT personnel. This\noccurred because the OCIO did not:\n\n    \xe2\x80\xa2    Ensure the contract officer\xe2\x80\x99s technical representatives were fulfilling their\n         responsibilities.\n    \xe2\x80\xa2    Fill vacant OCIO positions timely.\n    \xe2\x80\xa2    Establish clear lines of communication with all agency IT specialists.\n\nAs a result, the OCIO could not ensure its workforce completed tasks timely and\nefficiently and could not fulfill all requirements of the Clinger-Cohen Act. Peace Corps\npaid $35,000 for unnecessary contract services and failed to properly track an additional\n$149,000 in contract costs. In addition, Peace Corps could have better utilized $97,000\nby reducing lapsed salary costs and could have saved additional time and resources by\nproperly aligning IT resources.\n\nOCIO BUDGETED AMOUNTS\nThe OCIO budget consisted of costs for personnel (such as salaries, awards, and\nbenefits), travel, training, equipment, supplies, and IT service contracts. In FY 2008, the\nOCIO contract and salary costs comprised approximately 99.5% of the budgeted\noperations and maintenance funds ($8,430,600) and 80% of the budgeted centrally\nmanaged fund ($7,330,680).\n\nIn FY 2008, OCIO had 56 employees and 33 contractors assigned to five offices:\n\n    1.   operations and infrastructure\n    2.   planning and training\n    3.   IT security\n    4.   application systems\n    5.   IT architecture standards and practices\n\nIn addition, Peace Corps headquarters staff included 10 IT specialists in offices other than\nthe OCIO and overseas posts employed personal service contractors as IT specialists.\n\n\n\nCONTRACT                        OCIO did not always track contract performance and\nMANAGEMENT                      ensure that contractors completed work in accordance with\n                                contract terms.\n\n\n                                The Office of Acquisitions and Contract Management was\n                                the contracting officer for OCIO contracts. OCIO personnel\n                                served as the contracting officer\xe2\x80\x99s technical representative\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   29\n\x0c                                (COTR) to manage and measure contract performance and\n                                provide technical direction. Within the OCIO, the operations\n                                and infrastructure office oversaw the majority of the\n                                contractors. The contractors\xe2\x80\x99 primary tasks were to manage\n                                IT equipment, provide service desk support, and test IT\n                                security.\n\n                                Based on a review of five contracts, we determined that\n                                OCIO personnel did not always fulfill their COTR\n                                responsibilities. Two of the five contracts we reviewed had\n                                poorly defined deliverables, and OCIO did not adequately\n                                track goods and services. Without retaining the invoice\n                                support for specific contract deliverables, the OCIO could\n                                not ensure it received the necessary services and that the\n                                contractor fulfilled all contractual obligations.\n\n                                The largest OCIO contract became difficult to manage,\n                                because of numerous contract modifications that were not\n                                properly tracked to invoices and deliverables. In August\n                                2006, Peace Corps issued the original contract for IT services\n                                including asset management, help desk support, and IT\n                                security at an approximate cost of $4.8 million a year. By\n                                November 2008, Peace Corps had issued 29 modifications\n                                for an additional $3 million in goods and services. Contract\n                                management became even more difficult because the COTR\n                                left the agency in November 2008. By that time, the contract\n                                already contained the following issues:\n\n                                \xe2\x80\xa2 Deliverables listed in the contract modifications were\n                                  vague and could not be easily traced to actual goods or\n                                  services. Twelve out of 56 contract line items listed as\n                                  \xe2\x80\x9ccatalog purchase\xe2\x80\x9d did not specify which product OCIO\n                                  planned to purchase using these line items.\n\n                                \xe2\x80\xa2 Invoices did not specify the contract line item to which\n                                  the goods or services applied. The vendor submitted\n                                  invoices listing all costs on contract line item number 1,\n                                  instead of assigning the purchases to one of the 56\n                                  specific line item numbers. The contract required the\n                                  contractor to provide deliverable information in\n                                  attachments to the invoices; however, OCIO personnel\n                                  could not provide this information.\n\n                                \xe2\x80\xa2 The COTR and OCIO administrative personnel could not\n                                  provide information regarding which goods and services\n                                  have been received and what was outstanding on the\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    30\n\x0c                                         contract. We determined that four contract line items\n                                         were over-expended by approximately $149,000.\n                                         Although the contract was not over-obligated because\n                                         other lines were under-expended or not yet billed, the\n                                         OCIO could not efficiently determine which goods and\n                                         services it received and which were outstanding.\n\n                                    \xe2\x80\xa2 Services appeared duplicate and inadequately justified.\n                                      Although disaster recovery had been included in the\n                                      contract\xe2\x80\x99s original statement of work, it did not specify\n                                      what costs the service included. In February 2007, OCIO\n                                      modified the contract by adding $35,000 for disaster\n                                      recovery testing.\n\n                                         In addition, disaster recovery testing was included in a\n                                         separate contractor\xe2\x80\x99s statement of work. Without a\n                                         sufficient documentation explaining the different\n                                         responsibilities of the two contractors, we question\n                                         whether the charges were necessary.\n\n                                    \xe2\x80\xa2 Peace Corps accepted and paid for a contractor\xe2\x80\x99s proposal\n                                      for an IT project involving software and installation\n                                      services, but the contractor never completed the project.\n                                      In September 2007, the contractors submitted a proposal\n                                      to test and install E-vault data management software 4 by\n                                      October 31, 2007. OCIO increased the contract by\n                                      $46,368 based on the proposal and paid the contractor for\n                                      these services in December 2007. Although OCIO\n                                      received the E-vault software, as of May 2009, it was not\n                                      installed and OCIO did not have plans to use it. As a\n                                      result, the contractor did not fulfill the scope of work\n                                      defined in its project proposal and the contract statement\n                                      of work.\n\n                                    To provide adequate contract management, COTRs must\n                                    monitor contractor performance and require the contractor to\n                                    provide the contract line item information on the invoices to\n                                    facilitate tracking deliverables to the contract.\n\n\n\n\n4\n    We discuss this project in the finding A project presentation paragraph.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management             31\n\x0cWE RECOMMEND:\n\n19. That the Chief Acquisition Officer review the Office of the Chief Information\n    Officer\xe2\x80\x99s procedures for providing technical oversight and provide instruction for the\n    its contracting officer\xe2\x80\x99s technical representatives when managing large information\n    technology contracts.\n\n20. That the Chief Acquisition Officer request an audit of the August 2006 Office of\n    Chief Information Officer contract for information technology services.\n\n21. That the Chief Information Officer ensure all Office of the Chief Information Officer\n    personnel assigned as contracting officer\xe2\x80\x99s technical representatives are properly\n    trained and are fulfilling the required responsibilities.\n\n\n\n\nOCIO PERSONNEL                     OCIO did not fill vacancies timely, leaving essential\n                                   functions understaffed and causing other positions to\n                                   assume additional responsibilities.\n\n\n                                   OCIO had 11 vacancies out of 56 positions (19.6%) in\n                                   December 2007 and 11 vacancies out of 58 positions (19.0%)\n                                   in December 2008. Two of the vacancies remained open\n                                   over 300 days and an additional two positions (an emergency\n                                   management specialist and a telecom specialist),\n                                   approximately $173,100 in annual salary costs and benefits,\n                                   were not filled in more than a year and a half. Although\n                                   some delay in filling positions is unavoidable, offices can\n                                   reduce the amount through good hiring and employee\n                                   retention practices.\n\n                                   The delay in filling vacancies creates a salary lapse that can\n                                   fund other expenses. 5 OCIO salary lapse and vacancies\n                                   indicate that OCIO inappropriately used funds budgeted for\n                                   salaries to routinely cover budget shortfalls. In FY 2008,\n                                   OCIO salary lapse totaled approximately $768,000. With the\n                                   proper OCFO approval, OCIO reprogrammed these funds to\n                                   cover budget shortfalls including travel costs associated with\n                                   the Magellan and the Volunteer Information Database\n                                   Application projects, staff training, and new project studies.\n\n                                   Offices should only budget for the positions and salaries\n                                   necessary to complete their mission. Offices must also\n\n5\n    The OCFO regulates the savings from salary lapse through routine budget review.\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management        32\n\x0c                                conduct the proper budget planning and allocate the\n                                necessary resources to cover expected costs. To ensure the\n                                OCIO is properly staffed and can accomplish its mission, it\n                                must make a concerted effort to fill vacancies timely or\n                                return the positions and associated salary costs to the OCFO\n                                for reallocation.\n\n                                By April 2009, OCIO had reduced the number of vacancies\n                                to 9 out of 72 positions (12.5%) and began filling one of the\n                                two vacancies open for more than a year. The emergency\n                                management specialist position, vacant since September\n                                2007, had not been filled as of June 2009. Therefore, Peace\n                                Corps could put the $107,989 for this position to better use\n                                by reallocating the costs.\n\n\nWE RECOMMEND:\n\n22. That the Chief Information Officer, in conjunction with the Director of Personnel\n    Management, review the Office of the Chief Information Officer organizational\n    structure and positions to determine the most efficient alignment. Based on the\n    review identify whether vacancies require filled or should be realigned to other\n    positions or offices.\n\n\n\n\nAGENCY IT PERSONNEL             The OCIO did not have clear lines of communication with\n                                all agency IT specialists.\n\n\n                                In FY 2009, Peace Corps headquarters staff included 10 IT\n                                specialists not assigned to OCIO. Three of the 10 served as a\n                                liaison between OCIO and their office. These individuals\n                                communicated regularly with OCIO. The remaining seven\n                                IT specialists were in the OCFO financial systems office. In\n                                addition, at overseas posts approximately 60 personal\n                                services contractors served as IT specialists.\n\n                                OCIO is required to have visibility over all IT resources,\n                                including personnel. Title 40 U.S. Code 11315 requires the\n                                CIO "annually, as part of the strategic planning and\n                                performance evaluation process. . .\n\n                                        (A) Assesses the requirements established for\n                                        agency personnel regarding knowledge and skill\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     33\n\x0c                                        in information resources management and the\n                                        adequacy of those requirements for facilitating\n                                        the achievement of the performance\n                                        goals established for information resources\n                                        management.\n\n                                        (B) Assesses the extent to which the positions\n                                        and personnel at the executive level of the\n                                        agency and the positions and personnel at\n                                        management level of the agency below the\n                                        executive level meet those requirements.\n\n                                        (C) Develops strategies and specific plans for\n                                        hiring, training, and professional development\n                                        to rectify any deficiency in meeting those\n                                        requirements.\xe2\x80\x9d\n\n                                The OCFO IT personnel provided technical support for the\n                                Peace Corps financial management system. Although the\n                                OCFO financial systems office communicated with the\n                                OCIO as necessary, there was no process to ensure that the\n                                IT specialists received the proper support and oversight of\n                                the OCIO. As a result, OCIO did not have proper oversight\n                                of all IT managers, timely information regarding all OCFO\n                                IT expenses, and administrative control over staff training\n                                and qualifications. Specifically:\n\n                                \xe2\x80\xa2 The director in charge of the OCFO financial systems\n                                  office did not report to the OCIO nor have a performance\n                                  element assessed by the OCIO. OMB memorandum 9-02\n                                  reaffirmed and clarified the organizational, functional, and\n                                  operational governance framework. To manage and\n                                  optimize the effective use of IT in federal agencies, the\n                                  memorandum stated that the agency CIO may establish\n                                  and provide evaluations and appraisals in collaboration\n                                  with the appropriate supervisors within the performance\n                                  plans of IT and IT-related executives and senior\n                                  managers.\n\n                                \xe2\x80\xa2 In finding A, the budget integration paragraph described\n                                  how the OCFO financial systems office did not always\n                                  inform OCIO of IT projects timely and was able to\n                                  receive $959,300 in funding for an IT project before\n                                  receiving approval from the IRB. By permitting offices\n                                  to receive or spend IT related funds without following the\n                                  necessary IT investment review process the agency risks\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    34\n\x0c                                    spending funds on projects that may be unnecessary,\n                                    under budgeted, or not feasible.\n\n                                \xe2\x80\xa2 OCFO financial systems office did not report its staff\xe2\x80\x99s IT\n                                  training and qualifications to the OCIO to ensure the\n                                  OCIO tracked all agency IT knowledge and skills.\n\n                                Without a requirement to report to OCIO, there is no\n                                assurance that OCIO has complete visibility of all agencies\n                                IT resources. The CIO must have visibility over all IT\n                                resources, projects and personnel, to perform the functions\n                                required by CCA and properly account for all information\n                                resources management activities. One way to ensure OCIO\n                                control over agency IT is to create an organizational structure\n                                that aligns IT personnel along reporting chains that feed to\n                                the OCIO.\n\n\nWE RECOMMEND:\n\n23. That the Peace Corps Director consider realigning all headquarters information\n    technology personnel positions to the Chief Information Officer reporting chain or\n    requiring the Chief Information Officer provide input for a performance element\n    concerning information technology responsibilities in the annual performance plan of\n    all managers with significant information technology responsibilities.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     35\n\x0c                                AGENCY INITIATIVES\n Peace Corps OCIO made several improvements during FYs 2008 and 2009 as it\n revised the investment review board process, reviewed its budgetary accounts, and\n reevaluated its contract mechanisms.\n\n     \xe2\x80\xa2   In April and May 2009, the OCIO drafted revisions to the IRB and EAAB\n         charters. The updated charters included additional details on the decision\n         making process and defined which IT projects require EAAB and IRB review.\n         The charter still did not fully describe costs, schedule tracking, or the\n         evaluation process. To ensure compliance with CCA and OMB A-130, all\n         elements of the IT governance process must be fully documented in Peace\n         Corps policy, such as the Peace Corps Manual, and followed by all Peace Corps\n         offices.\n\n     \xe2\x80\xa2   In May 2009, OCIO began maintaining the IRB approvals electronically. If\n         maintained in a readily available location, these records will help improve the\n         IT governance\xe2\x80\x99s transparency.\n\n     \xe2\x80\xa2   OCIO is also developing a collaboration tool that will enable Peace Corps\n         offices to communicate during IT planning and development and consolidate IT\n         project documents. However, OCIO has not clearly defined the responsibilities\n         for preparing documents. To ensure the appropriate documents are maintained\n         in a readily available location, the collaboration tool must be designed so the\n         users can easily identify what is required and who is responsible for each\n         document. If well-designed and implemented across the agency, this\n         collaboration tool will facilitate sharing of information and provide a useful\n         repository of IT project information.\n\n     \xe2\x80\xa2   In FY 2009, OCIO did not renew the full contract for IT asset management and\n         support services and began terminating it. OCIO redistributed the IT services\n         by issuing smaller contracts and increasing OCIO personnel levels. Although\n         reducing the dollar amount and scope of each individual contract, OCIO issued\n         more contracts by separating the services. Therefore, it is still important that\n         OCIO managers clearly define contractor level work, track costs, and ensure\n         performance.\n\n The recent OCIO initiatives combined with corrective actions taken in response to this\n report will help promote efficiency and ensure compliance with federal regulations.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    36\n\x0c                               INTERNAL CONTROLS\n The Government Accountability Office report GAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards for\n Internal Control in the Federal Government,\xe2\x80\x9d established guidance for implementing\n internal controls in federal agencies. Internal controls provide reasonable assurance\n that the following objectives are being achieved:\n\n         \xe2\x80\xa2    effectiveness and efficiency of operations,\n         \xe2\x80\xa2    reliability of financial reporting, and\n         \xe2\x80\xa2    compliance with applicable laws and regulations.\n\n The five internal control standards are control environment, risk assessment, control\n activities, information/communication, and monitoring. During our audit, we reviewed\n whether Peace Corps had adequate internal controls over OCIO budget formulation and\n management. In our report, we identified the internal control weaknesses related to\n three of the five standards; control environment, control activities, and information/\n communication.\n\n The OCFO manages the agency\xe2\x80\x99s risk assessment program. OCIO complied with\n OCFO risk assessment program by submitting annual risk assessments and statements\n of assurance; we did not test the validity of the risk assessments. Monitoring includes\n audits and the agency\xe2\x80\x99s responsiveness to our recommendations. There were no\n previous audit recommendations outstanding at the time of our audit and therefore, no\n internal control weakness related to monitoring.\n\n Control Environment. We determined that the OCIO did not have oversight of all IT\n personnel and therefore could not properly manage all the agency\xe2\x80\x99s IT resources.\n Further, OCIO did not fill vacancies timely. According to the Government\n Accountability Office,\n\n         Another factor affecting the environment is the agency\xe2\x80\x99s organizational\n         structure\xe2\x80\xa6. A good internal control environment requires that the\n         agency\xe2\x80\x99s organizational structure clearly define key areas of authority\n         and responsibility and establish appropriate lines of reporting.\xe2\x80\xa6 Good\n         human capital policies and practices are another critical environmental\n         factor. This includes establishing appropriate practices for hiring,\n         orienting, training, evaluating, counseling, promoting, compensating, and\n         disciplining personnel. It also includes providing a proper amount of\n         supervision.\n\n Control Activities. OCIO did not have sufficient control activities to ensure\n compliance with federal regulations and Peace Corps policies. We determined that\n documentation was not always prepared and maintained to support key IT decisions.\n Further, OCIO COTRs did not adequately oversee contracts to ensure the agency\n received the contracted goods and services. Government Accountability Office states,\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management    37\n\x0c         Control activities are the policies, procedures, techniques, and\n         mechanisms that enforce management\xe2\x80\x99s directives, such as the process of\n         adhering to requirements for budget development and execution. They\n         help ensure that actions are taken to address risks. Control activities are\n         an integral part of an entity\xe2\x80\x99s planning, implementing, reviewing, and\n         accountability for stewardship of government resources and achieving\n         effective results.\n\n Information/communication. The PMO did not report accurate and complete project\n information to the investment review board. This information was necessary for\n management to make decisions on whether to recommend IT investments to the\n Director for funding. Government Accountability Office states,\n\n         Information should be recorded and communicated to management and\n         others within the entity who need it and in a form and within a time\n         frame that enables them to carry out their internal control and other\n         responsibilities.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   38\n\x0c                           QUESTIONED COSTS AND\n                          FUNDS PUT TO BETTER USE\nWe identified questioned costs and funds to be put to better use during the course of the\naudit. They are discussed in the accompanying audit report and enumerated below along\nwith the recommendation number in the report.\n\n\n                                      Questioned Costs\n  Recommendation\n                                                  Description                              Amount\n      number\n        19                  Disaster Recovery Testing                                      $35,000\n\n\n                                  Funds Put to Better Use\n  Recommendation\n                                                  Description                              Amount\n      number\n         7                  Purchase of E-vault Software                                   $46,368\n        22                  Lapsed Salary Costs                                           $107,989\n       Total                                                                              $154,357\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management          39\n\x0c                         LIST OF RECOMMENDATIONS\nWE RECOMMEND:\n\n1. That the Peace Corps Director, in conjunction with the Chief Information Officer,\n   develop an IRM strategic plan that identifies the agency\xe2\x80\x99s long-term IT goals,\n   describes how IT supports all Information Resource Management, and connects IT\n   initiatives to the Peace Corps mission.\n\n2. That the Chief Information Officer update the enterprise architecture to reflect the\n   current IT environment.\n\n3. That the Chief Information Officer develop an enterprise architecture roadmap that\n   supports how the agency\xe2\x80\x99s IT initiatives will support the IRM strategic plan.\n\n4. That the Chief Information Officer develop a Peace Corps manual section to describe\n   the information technology governance process, to include the various review boards\n   and their functions.\n\n5. That the Chief Information Officer update the system development life cycle\n   handbook to discuss the current information technology life cycle and\n   required documentation.\n\n6. That the Chief Information Officer review all information technology projects\n   to determine whether any require an exhibit 300 and prepare the\n   documentation when necessary.\n\n7. That the Investment Resource Board develop and implement a standard list of\n   required information and selection criteria for all information technology\n   projects presented for approval. Use the criteria to assist the Information\n   Resource Board in prioritizing information technology projects.\n\n8. That the Investment Resource Board maintain records to support all approval\n   and prioritization decisions and ensure the information is readily available to\n   agency management.\n\n9. That the Investment Resource Board and Enterprise Architecture Advisory\n   Board establish the process and criteria that will be used to monitor\n   information technology projects during development and implementation.\n\n10. That the Chief Information Officer develop a costing technique to track total\n    information technology costs and establish guidelines for how the agency will\n    implement the costing technique for information technology projects.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   40\n\x0c11. That the Investment Resource Board and Enterprise Architecture Advisory\n    Board establish the process and criteria that will be used to evaluate\n    information technology projects post implementation.\n\n12. That the Chief Information Officer issue guidance that describes the roles and\n    responsibilities of the technical representatives and their relationship with project\n    sponsors and managers. The guidance must clearly define who is responsible for\n    each required document throughout the information technology project\xe2\x80\x99s life cycle\n    and who will retain the documentation.\n\n13. That the Chief Information Officer develop and enforce standard operating\n    procedures that will ensure the required information technology documentation is\n    prepared timely and maintained in a readily available location for the life of the\n    project.\n\n14. That the Chief Information Officer design the layout within the information\n    technology\xe2\x80\x99s collaboration tool to assist users in determining which\n    documentation is required and who is responsible for each step of the\n    information technology process.\n\n15. That the Chief Financial Officer in conjunction with the Chief Information Officer\n    clearly define the Office of the Chief Information Officer\xe2\x80\x99s operations and\n    maintenance account and the information technology centrally managed account and\n    include the updated definition in the annual Peace Corps budget submission.\n\n16. That the Chief Information Officer establish procedures to ensure the obligations are\n    properly assigned to the Office of the Chief Information Officer\xe2\x80\x99s operations and\n    maintenance account and the information technology centrally managed account\n    based on the account definitions.\n\n17. That the Chief Financial Officer establish standard operating procedures concerning\n    the preparation and submission of the requests for agency resources. Specifically, the\n    guidance must describe which costs to include, establish what documentation is\n    necessary to support the cost estimates, and require information review board\n    approval for requests related to information technology.\n\n18. That the Chief Information Officer, in conjunction with the Chief Financial Officer,\n    review the Office of the Chief Information Officer\xe2\x80\x99s recent requests for agency\n    resources to determine whether any the costs should be included in the operating\n    budget to mitigate the risk that essential information technology activities are not\n    funded in a timely manner.\n\n19. That the Chief Acquisition Officer review the Office of the Chief Information\n    Officer\xe2\x80\x99s procedures for providing technical oversight and provide instruction for the\n    its contracting officer\xe2\x80\x99s technical representatives when managing large information\n    technology contracts.\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management     41\n\x0c20. That the Chief Acquisition Officer request an audit of the August 2006 Office of\n    Chief Information Officer contract for information technology services.\n\n21. That the Chief Information Officer ensure all Office of the Chief Information Officer\n    personnel assigned as contracting officer\xe2\x80\x99s technical representatives are properly\n    trained and are fulfilling the required responsibilities.\n\n22. That the Chief Information Officer, in conjunction with the Director of Personnel\n    Management, review the Office of the Chief Information Officer organizational\n    structure and positions to determine the most efficient alignment. Based on the\n    review identify whether vacancies require filled or should be realigned to other\n    positions or offices.\n\n23. That the Peace Corps Director consider realigning all headquarters information\n    technology personnel positions to the Chief Information Officer reporting chain or\n    requiring the Chief Information Officer provide input for a performance element\n    concerning information technology responsibilities in the annual performance plan of\n    all managers with significant information technology responsibilities.\n\n\n\n\nFinal Report: Office of the Chief Information Officer Budget Formulation and Management   42\n\x0cAPPENDIX A\n\n           OBJECTIVES, SCOPE, AND METHODOLOGY\nThe overall audit objective was to determine whether the OCIO, in conjunction with the\nOCFO, implemented effective budget formulation and budget execution procedures that\nresulted in the most economic and efficient use of Peace Corps budgetary resources.\nAdditionally, we reviewed internal controls as they relate to budget formulation and\nbudget management.\n\nWe based our audit conclusions on information from the following three primary sources:\ndocument and data analysis, interviews, and direct observations. We interviewed all\nOCIO project managers, OCIO administrative personnel, and OCFO budget personnel.\nWe did not use computer-processed data during this audit. We reviewed the IT\ninvestment, budget formulation, and budget management processes. The IT governance\nprocess and Peace Corps administrative control of funds provide internal control over the\nbudget process. We reviewed whether these processes were in place and operating\neffectively and noted any weaknesses in this report.\n\nWe reviewed FY 2007, 2008, and 2009 funding documents including OCIO operating\nbudgets, RARs, reprogramming actions, and budget of funds used reports. We\njudgmentally selected contracts and invoices to review for accuracy and completeness.\nIn addition, we analyzed the OCIO position descriptions and salary expenses to\ndetermine whether OCIO properly managed human resources. We also reviewed a\njudgmental selection of 15 IT projects for documentation to support cost estimates, cost\nand schedule tracking, and benefit analysis.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\x0cAPPENDIX B\n\n                        ACRONYMS AND GLOSSARY\n\nACRONYMS\n\n CCA                                                                   Clinger Cohen Act\n CIO                                                            Chief Information Officer\n COTR                                      Contracting Officer\xe2\x80\x99s Technical Representative\n EA                                                                Enterprise Architecture\n EAAB                                            Enterprise Architecture Advisory Board\n GAO                                                   Government Accountability Office\n IT                                                               Information Technology\n IRB                                                            Investment Review Board\n IRM                                                  Information Resource Management\n OCFO                                                Office of the Chief Financial Officer\n OCIO                                             Office of the Chief Information Officer\n OMB                                                   Office of Management and Budget\n PMO                                                         Program Management Office\n SDLC                                                   Systems Development Life Cycle\n TRM                                                    Technical Relationship Managers\n\n\nGLOSSARY\n\nClinger-Cohen Act of 1996. Federal law that establishing a comprehensive approach for\nexecutive agencies to improve the acquisition and management of their information\nresources, by focusing information resource planning to support their strategic missions;\nimplementing a capital planning and investment control process that links to budget\nformulation and execution; and rethinking and restructuring the way they do their work\nbefore investing in information systems.\n\nEnterprise Architecture. The explicit description and documentation of the current and\ndesired relationships among business and management processes and information\ntechnology. It describes the current architecture (as-is) and the target architecture (to be)\nalong with the standards and systems life cycle information to optimize and maintain the\nenvironment which the agency wishes to create and maintain through its IT portfolio.\n\nInformation Technology. Any equipment or interconnected system or subsystem of\nequipment, that is used in the automatic acquisition, storage, manipulation, management,\nmovement, control, display, switching, interchange, transmission, or reception of data or\ninformation by an executive agency. This includes computers, ancillary equipment,\nsoftware, firmware and similar procedures, services (including support services), and\nrelated resources.\n\x0cAPPENDIX B\n\nInformation Resource Management. The process of managing information resources\nto accomplish agency missions. The term encompasses both information itself and the\nrelated resources, such as personnel, equipment, funds, and information technology.\n\nInformation Technology Investment Portfolio. A list of major IT projects and total\ncosts covering the entire risk-adjusted life cycle of each system and including all\nbudgetary resources. Federal agencies must report their portfolio and any updates to\nOMB in compliance with the CCA.\n\nProject. A temporary endeavor undertaken to create a unique product, service, or result.\nAn IT project as one that, \xe2\x80\x9cinvolves the delivery of an information technology product,\nservice, or system.\xe2\x80\x9d The OCIO processes were part of the normal business operations\nand not IT projects.\n\nMajor Information Technology Investment. A system or acquisition requiring special\nmanagement attention because of its importance to the mission or function of the agency,\na component of the agency or another organization; is for financial management and\nobligates more than $500,000 annually; has significant program or policy implications;\nhas high executive visibility; has high development, operating, or maintenance costs; is\nfunded through other than direct appropriations; or is defined as major by the agency\xe2\x80\x99s\ncapital planning and investment control process.\n\nSystems Development Life Cycle. The phases through which an information system\npasses, typically characterized as initiation, development, operation, and termination. It\nprovides a common understanding between project managers and agency sponsors in\nterms of expected tasks and accomplishments, deliverables, and requirements from one\nlife cycle phase to the next.\n\x0cAPPENDIX C\n\n      CHIEF INFORMATION OFFICER RESPONSIBILITIES\n\nIn its report, GAO-04-823, GAO identified the following 13 major areas of Chief\ninformation Officer responsibilities as either statutory requirements or critical to effective\ninformation and technology management.\n\n\xe2\x80\xa2   IT/IRM strategic planning. CIOs are responsible for strategic planning for all\n    information and information technology management functions\xe2\x80\x94thus, the term IRM\n    strategic planning [44 U.S.C. 3506(b)(2)].\n\n\xe2\x80\xa2   IT capital planning and investment management. CIOs are responsible for IT\n    capital planning and investment management [44 U.S.C. 3506(h) and 40 U.S.C.\n    11312 & 11313].\n\n\xe2\x80\xa2   Information security. CIOs are responsible for ensuring compliance with the\n    requirement to protect information and systems [44 U.S.C. 3506(g) and 3544(a)(3)].\n\n\xe2\x80\xa2   IT/IRM workforce planning. CIOs have responsibilities for helping the agency\n    meet its IT/IRM workforce or human capital needs [44 U.S.C. 3506(b) and 40 U.S.C.\n    11315(c)].\n\n\xe2\x80\xa2   Information collection/paperwork reduction. CIOs are responsible for the review\n    of agency information collection proposals to maximize the utility and minimize\n    public \xe2\x80\x9cpaperwork\xe2\x80\x9d burdens [44 U.S.C. 3506(c)].\n\n\xe2\x80\xa2   Information dissemination. CIOs are responsible for ensuring that the agency\xe2\x80\x99s\n    information dissemination activities meet policy goals such as timely and equitable\n    public access to information [44 U.S.C. 3506(d)].\n\n\xe2\x80\xa2   Records management. CIOs are responsible for ensuring that the agency\n    implements and enforces records management policies and procedures under the\n    Federal Records Act [44 U.S.C. 3506(f)].\n\n\xe2\x80\xa2   Privacy. CIOs are responsible for compliance with the Privacy Act and related laws\n    [44 U.S.C. 3506(g)].\n\n\xe2\x80\xa2   Statistical policy and coordination. CIOs are responsible for the agency\xe2\x80\x99s statistical\n    policy and coordination functions, including ensuring the relevance, accuracy, and\n    timeliness of information collected or created for statistical purposes [44 U.S.C.\n    3506(e)].\n\n\xe2\x80\xa2   Information disclosure. CIOs are responsible for information access under the\n    Freedom of Information Act [44 U.S.C. 3506(g)].\n\x0cAPPENDIX C\n\n\xe2\x80\xa2   Enterprise architecture. Federal laws and guidance direct agencies to develop and\n    maintain enterprise architectures as blueprints to define the agency mission, and the\n    information and IT needed to perform that mission.\n\n\xe2\x80\xa2   Systems acquisition, development, and integration. We have found that a critical\n    element of successful IT management is effective control of systems acquisition,\n    development and integration [44 U.S.C. 3506(h)(5) and 40 U.S.C. 11312].\n\n\xe2\x80\xa2   E-government initiatives. Various laws and guidance direct agencies to undertake\n    initiatives to use IT to improve government services to the public and internal\n    operations [44 U.S.C. 3506(h)(3) and the E-Government Act of 2002]\n\x0cAPPENDIX D\n\n                    MANAGEMENT\xe2\x80\x99S RESPONSE TO\n                     THE PRELIMINARY REPORT\n\n\nManagement provided consolidated comments from the chief information officer, chief\nacquisition officer, and chief financial officer on December 16, 2009. The comments did\nnot provide the response from the Peace Corps Director for recommendations 1 and 23.\nResponses to recommendations 1 and 23 were subsequently provided on January 8, 2010.\nWe inserted the January 8, 2010 response into the December 16, 2009 response.\n\x0cDATE:           December 16, 2009\n\nTO:             Kathy Buller, Inspector General\n\nFROM:           Chris Sarandos, Acting Chief Information Officer\n\nCC:             Stacey Rhodes, Chief of Staff\n                Kathy Rulon, Acting Senior Advisor to the Chief of Staff\n                Thomas Bellamy, Acting Chief Financial Officer\n                Carey Fountain, Chief Acquisition Officer\n                Nicola Cullen, Policy & Program Analyst\n\nSUBJECT:        Office of the Chief Information Officer\xe2\x80\x99s Response to the OIG Preliminary Report on the\n                Audit of Peace Corps Office of the Chief Information Officer Budget Formulation and\n                Management\n\n\n\nThe following responses reflect the consensus of the Office of the Chief Information Officer.\n\n\n1.    That the Peace Corps Director, in conjunction with the Chief Information Officer, develop an IRM\n      strategic plan that identifies the agency\xe2\x80\x99s long-term IT goals, describes how IT supports all\n      Information Resource Management, and connects IT initiatives to the Peace Corps mission.\n      Response:\n      Concur \xe2\x80\x93 the Enterprise Architecture (EA) team will prepare a preliminary IRM strategic plan based on the\n      existing OCIO strategic plan and submit this to the CIO and subsequently to the Director for review and\n      approval.\n\n      Revised response provided on January 8, 2010:\n      Response: Concur \xe2\x80\x93 The Director\xe2\x80\x99s Office has tasked the Acting CIO to draft a preliminary\n      Information Resource Management plan based on the existing needs of the agency and the plans for\n      growth. This includes automating the Volunteer Delivery System and establishing an Electronic\n      Health Record system. Once the Chief Information Officer is appointed, the Chief of Staff will charge\n      him/her to conduct a review of the preliminary plan to ensure that the agency\xe2\x80\x99s IT priorities are\n      planned and budgeted for in the out years,\n\n\n\n2.    That the Chief Information Officer update the enterprise architecture to reflect the current IT\n      environment.\n      Response:\n      Concur \xe2\x80\x93 the EA team is currently working on this initiative, and will continue to do so, particularly as\n      the Volunteer Delivery System (VDS) implementation moves forward. This effort is currently\n      constrained by a lack of resources.\n\x0c3.   That the Chief Information Officer develop an enterprise architecture roadmap that supports how the\n     agency\xe2\x80\x99s IT initiatives will support the IRM strategic plan.\n     Response:\n     Concur \xe2\x80\x93 the EA team will develop this in conjunction with the IRM as noted in the response to\n     recommendation 1 above.\n\n\n4.   That the Chief Information Officer develop a Peace Corps manual section to describe the information\n     technology governance process, to include the various review boards and their functions.\n     Response:\n     Non-Concur \xe2\x80\x93 the governance process is an internal OCIO process, but it is not necessary for it to\n     become a manual section.\n\n\n5.   That the Chief Information Officer update the system development life cycle handbook to discuss the\n     current information technology life cycle and required documentation.\n     Response:\n     Concur \xe2\x80\x93 this update has already begun, and as in item 2, it is currently constrained by a lack of\n     resources.\n\n\n6.   That the Chief Information Officer review all information technology projects to determine whether\n     any require an exhibit 300 and prepare the documentation when necessary.\n     Response:\n     Concur \xe2\x80\x93 at this time, the OCIO believes that the only current project that requires an exhibit 300 is\n     the VDS and the exhibit 300 and associated documentation will be developed as the project\n     progresses.\n\n7.   That the Investment Resource Board develop and implement a standard list of required information\n     and selection criteria for all information technology projects presented for approval. Use the criteria to\n     assist the Information Resource Board in prioritizing information technology projects.\n     Response:\n     Concur \xe2\x80\x93 the OCIO concurs with the premise of this recommendation that there should be selection\n     criteria developed. However, it is not the responsibility of the OCIO to develop the criteria, but rather\n     it should be determined by the senior management of the Agency.\n\n\n8.   That the Investment Resource Board maintain records to support all approval and prioritization\n     decisions and ensure the information is readily available to agency management.\n     Response:\n     Concur \xe2\x80\x93 the EA team has already implemented a better record keeping process and will continue to\n     refine and improve the process as new employees are added to the team.\n\n                                                                                                            -2-\n\x0c9.   That the Investment Resource Board and Enterprise Architecture Advisory Board establish the\n     process and criteria that will be used to monitor information technology projects during development\n     and implementation.\n     Response:\n     Concur \xe2\x80\x93 significant progress will be made as new Project Management Office (PMO) staff is hired.\n     OCIO also has submitted an RAR to address this issue, and is waiting funding for this initiative.\n\n\n10. That the Chief Information Officer develop a costing technique to track total information technology\n    costs and establish guidelines for how the agency will implement the costing technique for information\n    technology projects.\n     Response:\n     Concur \xe2\x80\x93 with this recommendation to the extent that a TCO evaluation is done at the beginning of\n     the project. However, there are no chargeback mechanisms in place (fee for service) to allow for\n     ongoing project cost allocation.\n\n\n11. That the Investment Resource Board and Enterprise Architecture Advisory Board establish the\n    process and criteria that will be used to evaluate information technology projects post implementation.\n     Response:\n     Concur \xe2\x80\x93 the process and criteria will be developed in conjunction with the new PMO personnel\n     coming on board within the OCIO.\n\n\n12. That the Chief Information Officer issue guidance that describes the roles and responsibilities of the\n    technical representatives and their relationship with project sponsors and managers. The guidance\n    must clearly define who is responsible for each required document throughout the information\n    technology project\xe2\x80\x99s life cycle and who will retain the documentation.\n     Response:\n     Concur \xe2\x80\x93 the current management team of the OCIO, together with the EA team, has a plan to\n     address this recommendation.\n\n\n13. That the Chief Information Officer develop and enforce standard operating procedures that will\n    ensure the required information technology documentation is prepared timely and maintained in a\n    readily available location for the life of the project.\n     Response:\n     Concur \xe2\x80\x93 significant progress will be made as new Project Management Office (PMO) staff is hired\n     and when the solution to recommendation 12 is implemented. In the meantime, the existing EA staff\n     will work to ensure better compliance with project documentation standards enforcement.\n\n\n14. That the Chief Information Officer design the layout within the information technology\xe2\x80\x99s\n    collaboration tool to assist users in determining which documentation is required and who is\n    responsible for each step of the information technology process.\n\n\n                                                                                                         -3-\n\x0c     Response:\n     Non-Concur \xe2\x80\x93 OCIO provides templates and guidance for project documentation. However, given\n     the current PMO infrastructure, there are insufficient resources to address this recommendation as\n     outlined by the recommendation.\n\n\n15. That the Chief Financial Officer in conjunction with the Chief Information Officer clearly define the\n    Office of the Chief Information Officer\xe2\x80\x99s operations and maintenance account and the information\n    technology centrally managed account and include the updated definition in the annual Peace Corps\n    budget submission.\n     Response:\n     Concur \xe2\x80\x93 the OCFO agrees that clarification and definition on the use of the OCIO\xe2\x80\x99s operations and\n     maintenance account and the information technology (IT) centrally managed account should be\n     documented and proposes to issue coordinated guidance. There does not seem, however, to be any\n     need for Senior Agency Management level conversations other than what would normally be required\n     in order to coordinate and issue the additional guidance.\n\n\n16. That the Chief Information Officer establish procedures to ensure the obligations are properly\n    assigned to the Office of the Chief Information Officer\xe2\x80\x99s operations and maintenance account and the\n    information technology centrally managed account based on the account definitions.\n     Response:\n     Concur \xe2\x80\x93 this has already begun in conjunction with the FY2010 budget process and will see full\n     implementation as the new CAO is brought on board.\n\n\n17. That the Chief Financial Officer establish standard operating procedures concerning the preparation\n    and submission of the requests for agency resources. Specifically, the guidance must describe which\n    costs to include, establish what documentation is necessary to support the cost estimates, and require\n    information review board approval for requests related to information technology.\n     Response:\n     Concur \xe2\x80\x93 the CIO will work with the CFO to develop standard operating procedures concerning the\n     preparation and submission of the requests for agency resources. While general guidance on Requests\n     for Agency Resources (RAR) is contained in CFO Bulletin Number 06-03, Subject: Reengineering of\n     Peace Corps\xe2\x80\x99 Integrated Planning and Budget System (IPBS), dated January 6, 2006, under the\n     Requests for Agency Resources (RAR) bullet and the Reprogramming Defined and Thresholds\n     Revised bullet, the OCFO agrees that this guidance could be expanded to include specific treatment of\n     the IT centrally managed account in order to not \xe2\x80\x9ccommingle\xe2\x80\x9d funds and that coordinated, clarifying\n     guidance should include any other issues that would impact not only the OCIO but also other\n     Departments.\n\n\n18. That the Chief Information Officer, in conjunction with the Chief Financial Officer, review the Office\n    of the Chief Information Officer\xe2\x80\x99s recent requests for agency resources to determine whether any the\n    costs should be included in the operating budget to mitigate the risk that essential information\n    technology activities are not funded in a timely manner.\n\n\n                                                                                                          -4-\n\x0c     Response:\n     Concur \xe2\x80\x93 the response to finding 15 applies to this recommendation. The OCFO agrees that a joint\n     review with the CIO on RARs should be conducted in accordance with the Director\xe2\x80\x99s resource\n     priorities. The OCFO further believes that the RARs of the other departments should be subjected to\n     further review in conjunction with the expected receipt of additional funding in the near future.\n\n\n19. That the Chief Acquisition Officer review the Office of the Chief Information Officer\xe2\x80\x99s procedures\n    for providing technical oversight and provide instruction for its contracting officer\xe2\x80\x99s technical\n    representatives when managing large information technology contracts.\n     Response:\n     Partially Concur \xe2\x80\x93 OACM currently provides instructions to Contracting Officer Technical\n     Representatives (COTR) regarding general contract oversight responsibilities in it\xe2\x80\x99s delegation of\n     authority letters. However, staff turnover, insufficient training and the lack of clearly defined contract\n     surveillance plans contribute to contract oversight falling short of what\xe2\x80\x99s needed. To address the root\n     cause of this problem, OACM has developed and is in the process of implementing an agency level\n     COTR certification policy and a Contract Surveillance Review Program. The certification policy will\n     establish minimum training standards for COTRs, and through periodic reviews, the Surveillance\n     Review Program will help ensure contract surveillance plans are developed and contractor\n     performance is being tracked in accordance with the plan. At this time, OACM does not have\n     sufficient resources to fully implement these two initiatives. A request for agency resources has been\n     submitted and approval is pending.\n\n\n20. That the Chief Acquisition Officer request an audit of the August 2006 Office of Chief Information\n    Officer contract for information technology services.\n     Response:\n     Non-Concur \xe2\x80\x93 The SEAT Contract issued in August 2006 is a Firm Fixed Price Commercial Contract\n     and is not subject to contract audit requirements. OACM has no knowledge of any improprieties\n     associated with the contract and therefore has no basis for requesting an audit of this type. However, if\n     OIG believes that some other audit of a specialized nature is appropriate, the background and basis for\n     the audit should be provided or the audit should be performed by OIG. It should also be noted that\n     OCIO did reconcile invoices to products delivered under the SEAT catalog to help develop the\n     agency\xe2\x80\x99s negotiating position to settle the partial contract termination (still in process) issued in early\n     2008.\n\n\n21. That the Chief Information Officer ensure all Office of the Chief Information Officer personnel\n    assigned as contracting officer\xe2\x80\x99s technical representatives are properly trained and are fulfilling the\n    required responsibilities.\n     Response:\n     Concur \xe2\x80\x93 the OCIO has begun the appropriate training process, and will complete it with staff once\n     the guidelines currently under development in the Office of the Chief Acquisition Officer are\n     published and funding is provided.\n\n\n\n\n                                                                                                              -5-\n\x0c22. That the Chief Information Officer, in conjunction with the Director of Personnel Management,\n    review the Office of the Chief Information Officer organizational structure and positions to determine\n    the most efficient alignment. Based on the review identify whether vacancies require filled or should be\n    realigned to other positions or offices.\n     Response:\n     Non-Concur \xe2\x80\x93 the findings of the IG are consistent with the practices in all areas of the Agency and\n     are heartily endorsed by the OCFO.\n\n\n23. That the Peace Corps Director consider realigning all headquarters information technology personnel\n    positions to the Chief Information Officer reporting chain or requiring the Chief Information Officer\n    provide input for a performance element concerning information technology responsibilities in the\n    annual performance plan of all managers with significant information technology responsibilities.\n     Response:\n     Concur \xe2\x80\x93 however, the decision will need to be deferred to the Director. While any realignment of all\n     Headquarters IT personnel to the CIO reporting chain would ultimately be the Director\xe2\x80\x99s decision, it should\n     be realized that the successful certification and accreditation of the Odyssey financial management system\n     and, further, achieving the three Unqualified (clean) audit opinions for FY 2007 thru FY 2009 were\n     accomplished with the CFO Financial Services IT personnel under the focused, direct control of the CFO.\n     The efforts of these personnel could far more easily be diverted to alternative system requirements if under\n     the CIO\xe2\x80\x99s more broad systems umbrella. After the successful required recertification and accreditation of\n     Odyssey is achieved later this fiscal year, this could be given further consideration if desired.\n\n     Revised response provided on January 8, 2010:\n     Concur \xe2\x80\x93 The Chief of Staff or the Deputy Director will review IT personnel and their reporting chain\n     to determine the appropriateness of the current structure and consider realignments if appropriate.\n     Historically, there have been significant advantages to decentralizing IT support in selected offices.\n     For example, the Agency has been successful in obtaining certification and accreditation of the\n     Odyssey financial management system and three unqualified (clean) audit opinions for FY 2007 thru\n     FY 2009. These were accomplished with IT personnel under the focused, direct control of the CFO.\n\n\n\n\n                                                                                                               -6-\n\x0cAPPENDIX E\n\n                               OIG COMMENTS\n\nOf the 23 recommendations made in our report, management fully concurred with 18\nrecommendations, partially concurred with one recommendations, and nonconcurred with\nfour recommendations.\n\nOverall, management comments were not responsive. After receiving an incomplete\nresponse, we explained the need for supporting documentation and completion dates for\ncorrective actions in an email to the chief information officer. We received the finalized\nresponse from management more than 10 weeks beyond the usually six-week response\nperiod. However, management still did not provide us with evidence supporting actions it\nhad taken to correct the identified weaknesses. As a result, we were unable to close any\nthe recommendations. The 23 recommendations remain open pending confirmation from\nthe chief compliance officer that the following has been received:\n\n   \xe2\x80\xa2   For recommendations 1, 2, and 3: a copy of the IRM strategic plan, enterprise\n       architecture, and enterprise architecture roadmap.\n\n       Peace Corps paid a contractor to develop enterprise architecture documentation in\n       January 2004. However, Peace Corps did not finalize the documents and\n       neglected to update the information as it acquired and implemented new IT\n       systems. Now the documents are no longer relevant and do not provide the agency\n       with the information required to make informed IT planning and budgeting\n       decisions. According to OMB Circular A-130:\n\n              \xe2\x80\x9cAgencies must establish and maintain a capital planning and\n              investment control process that links mission needs, information,\n              and information technology in an effective and efficient manner.\n              The process will guide both strategic and operational IRM, IT\n              planning, and the Enterprise Architecture by integrating the\n              agency\'s IRM plans, strategic and performance plans prepared\n              pursuant to the Government Performance and Results Act of 1993,\n              financial management plans prepared pursuant to the Chief\n              Financial Officer Act of 1990 (31 U.S.C. 902a5), acquisition under\n              the Federal Acquisition Streamlining Act of 1994, and the agency\'s\n              budget formulation and execution processes. The capital planning\n              and investment control process includes all stages of capital\n              programming, including planning, budgeting, procurement,\n              management, and assessment.\xe2\x80\x9d\n\n   \xe2\x80\xa2   For recommendation 4: a copy of the new or updated Peace Corps Manual section\n       to include the information technology governance process. We also request an\n       estimated completion date for the new or updated Peace Corps Manual section.\n\x0cAPPENDIX E\n\n      The chief information officer stated that the governance process was an internal\n      Office of the Chief Information Officer process and did not need to be stated in a\n      Manual section. We strongly disagree. The governance process is an agency-wide\n      policy that all offices must comply with to ensure efficient information technology\n      decisions and investments. The governance process is required by the Clinger\n      Cohen Act of 1996 and Office of Management Budget Circular A-130. These\n      regulations require the Director to design and implement a process for maximizing\n      the value and assessing and managing the risks of the information technology\n      acquisitions of the executive agency. Formalizing the governance process in a\n      Peace Corps Manual section will help to inform offices of the required procedures\n      and provide a clear understanding of the responsibilities and requirements. We\n      believe this will help eliminate some of the management concerns expressed\n      during this audit about unclear responsibilities for project ownership and\n      documentation, offices bypassing the governance process; and a lack of\n      transparency in the information technology decision making process.\n\n  \xe2\x80\xa2   For recommendations 5: documentation stating the estimated completion date for\n      the updated system development lifecycle handbook and a copy of the finalized\n      version of the handbook upon issuance.\n\n  \xe2\x80\xa2   For recommendation 6: documentation defining the criteria used to determine\n      which information technology projects require exhibit 300s and a copy of the\n      current exhibit 300 for the Volunteer Delivery and Support System.\n\n      We could not determine which systems required an exhibit 300 because the Office\n      of the Chief Information Officer did not provide us with the criteria used when\n      determining which information technology projects require an exhibit 300.\n\n      The chief information officer stated that the only current project requiring an\n      exhibit 300 is the Volunteer Delivery and Support System and that associated\n      documentation will be developed as the project progresses. On the contrary,\n      during our audit the Office of the Chief Information Officer provided an outdated\n      exhibit 300 for the agency\xe2\x80\x99s financial management system.\n\n      The Office of Management and Budget requires agencies to prepare an exhibit 300\n      for all major investments, including a system requiring special management\n      attention because of its importance to the mission or function of the agency, has\n      significant program or policy implications, has high executive visibility, or has\n      high costs. Exhibit 300 is more than just a requirement, it is designed to be used as\n      a one-stop document for many management issues such as business cases for\n      investments, information technology security reporting, Clinger Cohen Act\n      implementation, E-Gov Act implementation, Government Paperwork Elimination\n      Act implementation, agency\xe2\x80\x99s modernization efforts, and overall project\n      management.\n\x0cAPPENDIX E\n  \xe2\x80\xa2   For recommendations 7, 8, 9, and 11: a copy of the finalized list of criteria for use\n      by the Investment Resource Board in approving and prioritizing information\n      technology projects and documentation of the processes the Board will use when\n      monitoring the development and implementation of projects and evaluating the\n      completed project. Further, we request an estimated completion date for these\n      criteria and process documentation.\n\n      The recommendations were addressed to the Investment Resource Board, chaired\n      by the chief of operations and the chief architect. However, only the Office of the\n      Chief Information Officer provided comments to these recommendations.\n\n      In recommendation 7, the Office of the Chief Information Officer stated that senior\n      management of the agency should determine the criteria needed when\n      approving and prioritizing information technology projects. The Investment\n      Resource Board is the executive level decision maker that approves and prioritizes\n      information technology projects. Therefore, the members of the Investment\n      Resource Board must agree to and document a standard list of required\n      information, the method for retaining these documents, and how the\n      documentation will be used to determine resource allocation, monitor information\n      technology projects progress, and evaluate projects after implementation.\n\n      The guidance for information technology investments is necessary to ensure Peace\n      Corps complies with the Clinger Cohen Act of 1996 that requires executive\n      agencies to develop a capital planning and investment control process that includes\n      the selection of information technology projects; integration with budget, financial,\n      and program management decisions; criteria used when approving, comparing, and\n      prioritizing information technology projects; quantifiable measurements of benefits\n      and risks; and timely information regarding the progress of information technology\n      projects.\n\n  \xe2\x80\xa2   For recommendation 10: documentation showing the development of a costing\n      technique to track information technology costs and compare results to budgets\n      throughout the lifecycle.\n\n      Although the chief information officer concurred with the recommendation to\n      develop a costing technique, he stated that there are no chargeback mechanisms in\n      place and cost evaluation is done at the beginning of the project.\n\n      Cost evaluation at the beginning of the project can only provided budget\n      information and estimates. It is essential that Peace Corps have a method to track\n      costs throughout system development to ensure projects are on schedule, avoid\n      cost overruns, and make informed decisions about resource allocation. Further,\n      costing techniques are necessary to comply with the Federal Acquisition\n      Streamlining Act of 1994 that requires agencies to establish cost, schedule, and\n      measurable performance goals for all major acquisition programs, and achieve on\n\x0cAPPENDIX E\n      average 90% of those goals. The Office of Management and Budget Circular A-\n      130 states that agencies must:\n\n         Institute performance measures and management processes that monitor\n         actual performance compared to expected results. Agencies must use a\n         performance based management system that provides timely\n         information regarding the progress of an information technology\n         investment. The system must also measure progress towards milestones\n         in an independently verifiable basis, in terms of cost, capability of the\n         investment to meet specified requirements, timeliness, and quality\xe2\x80\xa6\n\n      We recognize that a standard costing technique may not be cost beneficial for all\n      agency information technology projects. However, the monitoring process\n      required by the Information Resource Board and the system development life cycle\n      handbook should determine what cost information is required for the various types\n      and size of information technology projects.\n\n  \xe2\x80\xa2   For recommendations 12: documentation stating the estimated completion date for\n      the guidance describing the roles and responsibilities of project sponsors and\n      managers and a final version of the guidance upon issuance. We also request a\n      copy of the Enterprise Architecture team\xe2\x80\x99s plan for addressing this\n      recommendation.\n\n  \xe2\x80\xa2   For recommendation 13: documentation stating the estimated date of when the\n      Project Management Office will be fully staffed. Further, we request that in the\n      response to recommendation 4 the chief information officer include the\n      responsibilities of the Project Management Office in the updated or new Peace\n      Corps Manual section.\n\n      The chief information officer stated progress will be made by hiring a new Project\n      Management Office staff and defining the project roles and responsibilities. On\n      August 17, 2009, the chief information officer did not extend the tour of the\n      previous Project Management Office staff tasked with ensuring compliance with\n      standard operation procedures. The previous staff commented on lack of clearly\n      defined responsibilities and lack of authority for the Project Management Office to\n      ensure project sponsors and managers provided the required information timely.\n\n      Our recommendations to formalize procedures in a Peace Corps Manual section,\n      clarify project sponsors\xe2\x80\x99 and managers\xe2\x80\x99 roles, and use the collaboration tool to\n      assist users in preparing and maintaining documentation will help correct these\n      deficiencies. However, without sufficient Project\n\n      Management Office staff the Office of the Chief Information Officer will not have\n      the resources to overseas the process and ensure offices comply.\n\x0cAPPENDIX E\n  \xe2\x80\xa2   For recommendation 14: copy of the templates and guidance for IT project\n      documentation.\n\n      The chief information officer non-concurred with our recommendation to design\n      the new collaboration tool to better identify the required documents, where the\n      documentation is located within the folders, and who is responsible for the\n      document. The chief information officer stated that this office provides templates\n      and guidance for project documentation.\n\n      Our audit identified weaknesses in the document retention practices of the Office\n      of the Chief Information Officer that the collaboration tool was designed to\n      correct. Although the collaboration tool could be modified to provide a folder\n      structure that better aligned with the system development life cycle handbook\n      requirements, we recognized that an enforced guidance for project documentation\n      and templates could also ensure documents are properly prepared and maintained.\n\n  \xe2\x80\xa2   For recommendation 15: documentation stating the estimated completion date for\n      the Office of the Chief Financial Officer\xe2\x80\x99s guidance and a copy of the guidance\n      once final.\n\n      The Office of the Chief Financial Officer agreed with the need to clarify and define\n      the Office of the Chief Information Officer\xe2\x80\x99s budgetary accounts and proposed to\n      issue coordinated guidance, but stated that there does not seem to by the need for\n      senior agency management level conversation beyond what would normally be\n      required. Our recommendation was directed to the chief financial officer and the\n      coordinated guidance will satisfy the intent of this recommendation if it clearly\n      defines the budgetary accounts and their uses.\n\n  \xe2\x80\xa2   For recommendation 16: we will be able to close this recommendation when\n      recommendation 15 is complete and the chief information officer provides us with\n      procedures for ensuring expenses are assigned to the appropriate budgetary\n      accounts in accordance with the Office of the Chief Financial Officer coordinated\n      guidance.\n\n      The chief information officer concurred with the recommendation for procedures\n      to ensure obligations are assigned to the proper budgetary account and stated that\n      this has already begun in conjunction with the FY 2010 budget process. However,\n      in recommendation 15 the Office of the Chief Financial Officer agreed that Office\n      of the Chief Financial Officer budgetary accounts required clarification. Until\n      these budgetary accounts are clearly defined, the Office of the Chief Information\n      Officer will be unable to ensure obligations are properly assigned.\n\n  \xe2\x80\xa2   For recommendations 17 and 18: documentation stating the estimated completion\n      date for the development of standard operating procedures for Requests for\n      Agency Resources and a copy of these procedures once final.\n\x0cAPPENDIX E\n      The Office of the Chief Financial Officer commented that the Request for Agency\n      Resources for other departments should be reviewed and that guidance could be\n      expanded to include additional issues. We encourage the Office of the Chief\n      Financial Officer to take the necessary action to improve the agency\xe2\x80\x99s Request for\n      Agency Resources process, but we refrain from making additional\n      recommendations because of the scope of our audit was limited to the Office of the\n      Chief Information Officer.\n\n  \xe2\x80\xa2   For recommendation 19: a copy of the COTR certification policy and the\n      procedures of the Contract Surveillance Review Program. We also request the\n      completion date for when the COTR certification policy will be fully implemented.\n\n  \xe2\x80\xa2   For recommendation 20: documentation showing that the COTR and contracting\n      officer have determined whether the contractor fulfilled the requirements of the\n      $46,368 contract amendment for the implementation of E-vault data management\n      software and a copy of Office of the Chief Information Officer\xe2\x80\x99s reconciliation of\n      invoices to products.\n\n      The chief acquisition officer non-concurred because he was not aware of an issue\n      related to certain undelivered contract services that may improve the\n      government\xe2\x80\x99s position in negotiating contract termination costs. Our audit\n      identified improprieties including invoices not reconciled to deliverables; over-\n      expended contract line items; potential duplicative services; and services paid for\n      but not fully received. Further, we determined that reconciliation of line items to\n      deliverables in early 2008 did not correct the discrepancies identified during the\n      audit. Specifically, Peace Corps agreed to the contractor\xe2\x80\x99s proposal and modified\n      the original contract to include services associated with the installation and testing\n      of E-vault data management software. However, we found that although the\n      contractor invoiced, and was subsequently paid for 100% of these services, the E-\n      vault software had not been installed. As a result, we concluded that Peace Corps\n      purchased goods and services that were not required; approved an invoice that\n      was not accurate; and reimbursed the contractor for services that were only\n      partially received. The COTR and contracting officer must determine to what\n      extent the contractor has failed to perform all of the requirements associated with\n      the E-vault project and its effect on the contract close out process, including\n      determination of reasonable termination costs.\n\n  \xe2\x80\xa2   For recommendation 21: a copy of the training records for all Office of the Chief\n      Information Officer contracting officer\xe2\x80\x99s technical representatives.\n\n  \xe2\x80\xa2   For recommendation 22: a copy of documentation showing that the positions\n      identified in our report were filled or that the positions were eliminated and the\n      full-time equivalents were released.\n\n      The chief information officer did not concur and stated, \xe2\x80\x9cThe findings of the IG\n      were consistent with practices in all areas of the Agency and heartily endorsed by\n\x0cAPPENDIX E\n       the OCFO.\xe2\x80\x9d Although we recognize that a level of salary lapse is unavoidable, our\n       audit identified essential positions that remained vacant for excessive amounts of\n       time. If the position is essential, then the Office of Chief Information Officer\n       risked not fulfilling mission requirements. However, the Office of the Chief\n       Information Officer operated for more than a year and a half without two of the\n       vacant positions. This indicates that these positions were not essential and that the\n       salary lapse created by these vacancies could have been properly budgeted to meet\n       more urgent needs. Further, in the chief information officer\xe2\x80\x99s comments to our\n       recommendations he states that efforts were constrained by a lack of resources. By\n       properly aligning personnel and budgeting salaries, the Office of the Chief\n       Information Officer can improve its use of resources.\n\n   \xe2\x80\xa2   For recommendation 23: a copy of the Deputy Director\xe2\x80\x99s review of the current\n       structure of Peace Corps information technology personnel and their reporting\n       chain.\n\nIn their response, management describes actions they are taking or intend to take to\naddress the issues that prompted each of our recommendations. We wish to note that in\nclosing recommendations, we are not certifying that they have taken these actions nor that\nwe have reviewed their effect. Certifying compliance and verifying effectiveness are\nmanagement\xe2\x80\x99s responsibilities. However, when we feel it is warranted, we may conduct a\nfollow-up review to confirm that action has been taken and to evaluate the impact.\n\x0cAPPENDIX F\n\n         AUDIT COMPLETION AND OIG CONTACT\n\nAUDIT COMPLETION\nMr. Bradley Grubb performed the audit and Mr. Gerry Montoya supervised.\n\n\nOIG CONTACT\nIf you wish to comment on the quality or usefulness of this report to help\nus strengthen our product, please email Gerald P. Montoya, Assistant\nInspector General for Audits, at gmontoya@peacecorps.gov, or call him at\n202.692.2907.\n\x0c         REPORT FRAUD, WASTE, ABUSE,\n            AND MISMANAGEMENT\n\nFraud, waste, abuse, and mismanagement in government affect\neveryone from Peace Corps Volunteers to agency employees to the\ngeneral public. We actively solicit allegations of inefficient and\nwasteful practices, fraud, abuse, and mismanagement related to\nPeace Corps operations domestically or abroad. You can report\nallegations to us in several ways, and you may remain anonymous.\n\n\n\n\nMail:          Peace Corps\n               Office of Inspector General\n               P.O. Box 57129\n               Washington, DC 20037-7129\n\nPhone:         24-Hour Toll-Free:                  800.233.5874\n               Washington Metro Area:              202.692.2915\n\n\nFax:           202.692.2901\n\nEmail:         oig@peacecorps.gov\n\x0c'